CVE-2023-28771:
Remote Command Injection Vulnerability in Zyxel Firewall Products
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Apr 25, 2023
- CISA KEV Date:May 31, 2023
- Industries Affected:20
36 DaysThreat Predictions
- EPSS Score:94.3
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Remote Command Injection Vulnerability in Zyxel Firewall Products
Overview
This vulnerability affects Zyxel firewall products and allows for unauthenticated remote code execution. The issue exists in the error message handling functionality of the IKE packet decoder component. By sending specially crafted packets to a vulnerable device, an attacker can inject and execute arbitrary operating system commands with the privileges of the firewall application. Since no authentication is required to exploit this vulnerability, it poses a severe security risk to organizations using affected Zyxel products. The vulnerability impacts multiple product lines including ZyWALL/USG series (firmware 4.60-4.73), VPN series (firmware 4.60-5.35), USG FLEX series (firmware 4.60-5.35), and ATP series (firmware 4.60-5.35).
Remediation
- To address this vulnerability, organizations should:
- 1. Update affected devices to the latest firmware version as provided by Zyxel:
- ZyWALL/USG series: Update to firmware v4.73 patch 1 or later
- VPN series: Update to firmware v5.35 patch 1 or later
- USG FLEX series: Update to firmware v5.35 patch 1 or later
- ATP series: Update to firmware v5.35 patch 1 or later
- 2. If immediate patching is not possible, implement the following mitigations:
- Restrict access to the management interface using IP filtering
- Configure firewall rules to block unauthorized access to the affected services
- Monitor network traffic for suspicious activity targeting the device
- Consider placing affected devices behind additional security controls
- 3. After updating, verify that the patch has been successfully applied by checking the firmware version through the device's management interface.
References
- 1. Zyxel Security Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls
- 2. Exploit details: http://packetstormsecurity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Code-Execution.html
- 3. CWE-78: OS Command Injection: https://cwe.mitre.org/data/definitions/78.html
- 4. MITRE CVE Entry: CVE-2023-28771
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:May 20, 2023
- CISA KEV Date:May 31, 2023
- Days Early:36 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
