CVE-2023-28771, the critical command injection vulnerability affecting many Zyxel firewalls, is being actively exploited by a Mirai-like botnet, and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
About CVE-2023-28771
CVE-2023-28771 is a vulnerability that allows unauthenticated attackers to execute OS commands remotely by sending crafted IKE (Internet Key Exchange) packets to an affected device.
Fixed by Zyxel in April 2023, it was expected to be quickly exploited by attackers once technical write-ups and PoCs are made public – and so it happened.
“While Internet Key Exchange (IKE) is the protocol used to initiate this exploit, it’s not a vulnerability in IKE itself, but it seems to be a result of this rogue debugging function that shouldn’t have made it into a production build of the firmware. But since IKE is the only known protocol where the path to this vulnerability can be triggered, it’s much more likely that only the Zyxel devices that are running IKE are actually vulnerable to this attack,” Censys researchers explained.
“This vulnerability stems from a problematic logging function. Instead of employing a secure file handling mechanism by opening up a file handle and writing data to that handle, Zyxel chose a different approach: They constructed an “echo” command by incorporating user-controlled input data. This echo command is subsequently executed through a system() call, writing the output to a file in /tmp. This implementation introduces an OS command injection vector, as the command construction process can be influenced by user-controllable input, and there is no data sanitization.”
CVE-2023-28771 exploited
Exploitation attempts started around May 25 and are being tracked by various cybersecurity companies and organizations.
Censys pinpointed 21,210 potentially vulnerable devices around the world, but predominantly in Europe (i.e., Italy, France, and Switzerland).
“These devices are deployed in all sorts of residential and business networks, both large and small. So the majority of networks these devices can be found in will be telecoms and other types of service providers,” they noted.
Vulnerable devices that haven’t been patched by now should be considered compromised and are already being leveraged in attacks (e.g., DDoS attacks).
Users who don’t know how to remediate the compromise should ask for help from their service provider. Those who have implemented the necessary update in time are advised to update again: Zyxel has relased new patches to fix two buffer overflow flaws (CVE-2023-33009, CVE-2023-33010) in those same firewalls on May 24.