What just happened? Taiwanese networking corporation Zyxel is once again facing a potential security crisis, as many of the company’s firewalls are affected by a couple of nasty vulnerabilities. Updated firmware versions are already available, and customers are strongly advised to install them as soon as possible.
The latest security advisory issued by Zyxel is warning customers about multiple buffer overflow vulnerabilities discovered in several of the company’s firewall and VPN devices. The Taiwan-based manufacturer says that the two flaws can be potentially abused by attackers to execute malicious code or breach through vulnerable networks.
The first security flaw included in Zyxel’s advisory is tracked as CVE-2023-33009, and is described as a buffer overflow issue in the notification function in Zyxel ATP series firmware. The flaw could allow an unauthenticated attacker to bring a denial-of-service (DoS) threat against vulnerable appliances, or even to remotely execute malicious code on the affected firewall device.
The second flaw is tracked as CVE-2023-33010, which is a buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware. The flaw could once again allow an unauthenticated attacker to cause “denial-of-service (DoS) conditions,” or to remotely execute code on an affected device. Both the issues are classified as “critical” vulnerabilities, with a severity score of 9.8.
A buffer overflow condition occurs when a program (or a program’s sub-routine) is somewhat able to write data to a buffer beyond the buffer’s allocated memory, overwriting adjacent memory locations. The issue is typically “solved” with a system crash or by showing an error message, yet sometimes the buffer overflow condition can be exploited by talented hackers or cyber-criminals to execute code or defeat security measures.
After a “thorough” internal investigation, Zyxel said it identified the firewall series affected by the aforementioned critical vulnerabilities. The devices which are within their “vulnerability support period,” Zyxel said, include the following series:
- ATP, firmware versions ZLD V4.32 to V5.36 Patch 1
- USG FLEX, firmware versions ZLD V4.50 to V5.36 Patch 1
- USG FLEX50(W) / USG20(W)-VPN, firmware versions ZLD V4.25 to V5.36 Patch 1
- VPN, firmware versions ZLD V4.30 to V5.36 Patch 1
- ZyWALL/USG, firmware versions ZLD V4.25 to V4.73 Patch 1
Zyxel has already released updated firmware builds to patch the two critical vulnerabilities, and customers should of course install the updates as soon as possible to avoid being targeted by attackers. Black hat hackers and cyber-criminals are always searching for vulnerable devices to breach networks belonging to private or public organizations, and they are usually pretty good at finding them.