Zyxel security advisory for buffer overflow vulnerability in Realtek eCos SDK

CVE: CVE-2022-27255

Summary

Zyxel is aware of a buffer overflow vulnerability in some versions of Realtek’s Software Development Kit (SDK) and assures customers that Zyxel products are NOT affected.

What is the vulnerability?

A stack-based buffer overflow vulnerability was found in the SIP ALG module in some versions of Realtek’s eCos SDK. This could allow a remote unauthenticated attacker to trigger a buffer overflow and then cause a crash or achieve arbitrary code execution via a crafted SIP packet containing malicious SDP data.

What versions are vulnerable—and what should you do? ?

After a thorough investigation, we can confirm that Zyxel products are NOT affected, because they either do not use a vulnerable SDK version or do not adopt the vulnerable SIP ALG module.

Got a question?

If you are an ISP with customized models, please contact your Zyxel sales or service representative for further information or assistance. For end-user who acquired your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.

Revision history

2022-08-18: Initial release.

The company

News

Customer stories

Events

Our awards

Resources

Day of giving

COVID-19 statement

MPro Mesh™ Solutions

EX5510-B0

Security advisories

Webinar

Product evaluation

Multimedia