Zyxel recently addressed several critical security vulnerabilities across a range of its networking devices, including a particularly severe flaw identified as CVE-2024-7261. This vulnerability is an OS command injection issue, which received a CVSS v3 score of 9.8, placing it in the “critical” category. The flaw stems from improper input validation in the “host” parameter of the CGI program used by certain models of Zyxel access points (APs) and security routers. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted cookie to the vulnerable devices, allowing them to execute arbitrary commands on the host operating system.
The specific models affected by CVE-2024-7261 include various devices from Zyxel’s NWA, WAC, WAX, and WBE series, as well as the USG LITE 60AX security router. The vulnerability impacts firmware versions as follows:
- NWA Series: All versions up to 7.00 are vulnerable. Users should upgrade to version 7.00(ABYW.2) or later.
- WAC Series: All versions up to 6.28 are vulnerable. Users should upgrade to version 6.28(AAXH.3) or later.
- WAX Series: All versions up to 7.00 are vulnerable. Users should upgrade to version 7.00(ACHF.2) or later.
- WBE Series: All versions up to 7.00 are vulnerable. Users should upgrade to version 7.00(ACLE.2) or later.
- USG LITE 60AX: This model, running V2.00(ACIP.2), is also affected. However, it receives automatic updates via the cloud, with V2.00(ACIP.3) containing the patch.
In addition to CVE-2024-7261, Zyxel has released patches for multiple other vulnerabilities that affect its APT and USG FLEX firewall series. These include:
- CVE-2024-6343: A buffer overflow vulnerability in the CGI program, which could lead to a denial of service (DoS) attack. This requires an authenticated admin to send a crafted HTTP request.
- CVE-2024-7203: A post-authentication command injection vulnerability that allows an authenticated admin to execute OS commands via a crafted CLI command.
- CVE-2024-42057: A command injection vulnerability in the IPSec VPN feature, which can be exploited remotely without authentication. However, it requires the device to be configured in User-Based-PSK mode and the presence of a user with a username exceeding 28 characters.
- CVE-2024-42058: A null pointer dereference vulnerability that could cause a DoS attack if an unauthenticated attacker sends specially crafted packets.
- CVE-2024-42059: A post-authentication command injection vulnerability that allows an authenticated admin to execute OS commands by uploading a specially crafted compressed language file via FTP.
- CVE-2024-42060: Similar to CVE-2024-42059, this allows command injection by uploading a crafted internal user agreement file.
- CVE-2024-42061: A reflected cross-site scripting (XSS) vulnerability in “dynamic_script.cgi” could enable an attacker to trick a user into visiting a crafted URL, potentially leaking browser-based information.
The most notable among these is CVE-2024-42057, which has a CVSS v3 score of 8.1 (“high”). Although this vulnerability can be exploited remotely, its severity is mitigated by specific configuration requirements that are not typical for all users.
For those using Zyxel devices provided by Internet Service Providers (ISPs), Zyxel recommends reaching out to the ISP’s support team to ensure the correct patches are applied, as these devices often have custom-built settings that require tailored updates. ISPs are advised to contact their Zyxel sales or service representatives for further details on how to secure these devices.
Zyxel’s swift response in releasing these patches highlights the critical need for users to update their devices immediately to protect against potential exploitation of these vulnerabilities. Regularly updating firmware and applying security patches are vital practices to maintain a secure network environment.