Zyxel USG < 5.37 / ATP < 5.37 / VPN < 5.37 Multiple Vulnerabilities

high Nessus Plugin ID 179407

Synopsis

The remote security gateway is affected by a remote rode execution vulnerability.

Description

Firmware version of the Zyxel USG, ATP, VPN is less than 5.37. This Zyxel device firmware is affected by multiple vulnerabilities:

- A command injection vulnerability in the Free Time WiFi hotspot feature of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device. (CVE-2023-34139)
- A command injection vulnerability in the hotspot management feature of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device if the attacker could trick an authorized administrator to add their IP address to the list of trusted RADIUS clients in advance. (CVE-2023-34138)

- A command injection vulnerability in the configuration parser of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled.
(CVE-2023-33012)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Zyxel USG / ATP / VPN to version 5.37 or later.

See Also

http://www.nessus.org/u?315d4ab6

Plugin Details

Severity: High

ID: 179407

File Name: zyxel_usg_CVE-2023-34139.nasl

Version: 1.2

Type: combined

Family: Firewalls

Published: 8/7/2023

Updated: 7/4/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 8.3

Temporal Score: 6.9

Vector: CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-34141

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2023-34139

Vulnerability Information

CPE: cpe:/h:zyxel:usg_flex

Required KB Items: installed_sw/Zyxel Unified Security Gateway (USG)

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/18/2023

Vulnerability Publication Date: 7/18/2023

Exploitable With

Metasploit (Zyxel parse_config.py Command Injection)

Reference Information

CVE: CVE-2023-28767, CVE-2023-33011, CVE-2023-33012, CVE-2023-34138, CVE-2023-34139, CVE-2023-34140, CVE-2023-34141