Zyxel security advisory for multiple vulnerabilities

CVEs: CVE-2023-28769, CVE-2023-28770, CVE-2022-45440

Summary

Zyxel is aware of multiple vulnerabilities reported by our security consultancy partner, SEC Consult, and advises users to install the applicable firmware updates for optimal protection.

 

What are the vulnerabilities?

There are eight vulnerabilities, identified as follows.

  1. Multiple buffer overflow vulnerabilities were discovered in the web server of the affected devices. (CVE-2023-28769)
  2. The CGI program lacks a proper permission control mechanism, which could allow an attacker to read sensitive files on the devices. (CVE-2023-28770)
  3. Insufficiently protected credentials in the configuration file of the devices could allow an attacker to retrieve the passwords. (CVE-2023-28770)
  4. Command injection vulnerabilities were found in the diagnostic tool and the certificate upload interface of the devices.
  5. Access control vulnerabilities in the devices could allow a less privileged user to access functionality of a more privileged role.
  6. The improper symbolic links processing vulnerability in the FTP server could allow an attacker to get read access to the root file system. (CVE-2022-45440)
  7. A security flaw was found in API of the devices that could be abused without authentication in order to obtain a new session key.
  8. A cross-site scripting vulnerability was identified in the printer name field of the print server menu within the web interface of the devices.

 

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the affected products that are within their warranty and support period, as shown in the table below. If a product is not listed, it is not affected or has reached end-of-life. Please note that the table below does NOT include customized models for internet service providers (ISPs).

Affected series/models Patch availability
CPE  
DX3301-T0 V5.50(ABVY.3)C0 in Sep. 2022*
DX5401-B0 V5.17(ABYO.1)C0*
EMG3525-T50B EMEA - V5.50(ABPM.6)C0*
S. America - V5.50(ABSL.0)b12 in Sep. 2022*
EMG5523-T50B EMEA - V5.50(ABPM.6)C0*
S. America - V5.50(ABSL.0)b12 in Sep. 2022*
EMG5723-T50K V5.50(ABOM.7)C0*
EX3301-T0 V5.50(ABVY.3)C0 in Sep. 2022*
EX5401-B0 V5.17(ABYO.1)C0*
EX5501-B0 V5.17(ABRY.2)C0*
LTE3301-PLUS V1.00(ABQU.3)C0*
LTE7240-M403 V2.00(ABMG.4)C0*
VMG1312-T20B V5.50(ABSB.5)C0*
VMG3625-T50B V5.50(ABPM.6)C0*
VMG3927-B50A V5.17(ABMT.6)C0*
VMG3927-B60A V5.17(ABMT.6)C0*
VMG3927-T50K V5.50(ABOM.7)C0*
VMG4005-B50A V5.15(ABQA.2)C0 in Mar. 2022*
VMG8623-T50B V5.50(ABPM.6)C0*
VMG8825-B50A V5.17(ABMT.6)C0*
VMG8825-B50B V5.17(ABNY.7)C0*
VMG8825-B60A V5.17(ABMT.6)C0*
VMG8825-B60B V5.17(ABNY.7)C0*
VMG8825-T50K V5.50(ABOM.7)C0*
XMG3927-B50A V5.17(ABMT.6)C0*
XMG8825-B50A V5.17(ABMT.6)C0*
ONT  
AX7501-B0 V5.17(ABPC.1)C0*
EP240P V5.40(ABVH.1)C0 in May 2022*
PMG5317-T20B V5.40(ABKI.4)C0 in Apr. 2022*
PMG5617GA V5.40(ABNA.2)C0 in Apr. 2022*
PMG5622GA V5.40(ABNB.2)C0 in Apr. 2022*
Wireless extender  
WX3100-T0 V5.50(ABVL.1)C0 in Mar. 2022*
WX3401-B0 V5.17(ABVE.1)C0*
*Please reach out to your local Zyxel support team for the file.
**The above list did not include products designed by our affiliate, Zyxel Networks. If you have questions regarding products that are not listed above, please visit here for the complete affected model list and the latest firmware release schedule.

Got a question?

If you are an ISP with customized models, please contact your Zyxel sales or service representative for further information or assistance. For end-user who acquired your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.

 

Acknowledgment

Thanks to SEC Consult for reporting the issues to us.

 

Revision history

2022-2-15: Initial release

2023-4-28: Updated CVE IDs