31 May 2023

ONGOING ATTACKS: Hackers exploit critical Zyxel firewall flaw | Bleeping Computer

Today, CISA published an alert warning that CVE-2023-28771 is being actively exploited by attackers, urging federal agencies to apply the available update by June 21, 2023.

Hackers exploit critical Zyxel firewall flaw in ongoing attacks

 
  • May 31, 2023
  •  
  • 01:54 PM
  •  
  • 0

Hacker

Hackers are performing widespread exploitation of a critical-severity command injection flaw in Zyxel networking devices, tracked as CVE-2023-28771, to install malware.

The flaw, which is present in the default configuration of impacted firewall and VPN devices, can be exploited to perform unauthenticated remote code execution using a specially crafted IKEv2 packet to UDP port 500 on the device.

Zyxel released patches for the vulnerability on April 25, 2023, warning users of the following product versions to apply to resolve the vulnerability:

  • ATP – ZLD V4.60 to V5.35
  • USG FLEX – ZLD V4.60 to V5.35
  • VPN- ZLD V4.60 to V5.35
  • ZyWALL/USG – ZLD V4.60 to V4.73

Today, CISA published an alert warning that CVE-2023-28771 is being actively exploited by attackers, urging federal agencies to apply the available update by June 21, 2023.

Tweet

This alert coincides with additional verification from Rapid7 today that confirms the active exploitation of the flaw.

One of the activity clusters confirmed to exploit CVE-2023-28771 is a Mirai-based botnet malware that, according to Shadowserver, started launching attacks on May 26, 2023.

Similar activity was spotted by cybersecurity researcher Kevin Beaumont a day earlier, who highlighted the use of a publicly available PoC (proof of concept) exploit.

While the Mirai threat is typically limited to DDoS (distributed denial of service), other threat groups might engage in lower-scale and less-noticeable exploitation to launch more potent attacks against organizations.

It is also important to note that Zyxel has recently fixed two other critical severity flaws, CVE-2023-33009 and CVE-2023-33010, which impact the same firewall and VPN products.

The two flaws could allow unauthenticated attackers to impose denial of service on vulnerable devices or execute arbitrary code.

System admins should apply the available security updates as soon as possible to mitigate emerging exploitation risks, as the more recent flaws are bound to get the attention of malicious actors.

At the time of writing, the latest available firmware version users are recommended to upgrade to is ‘ZLD V5.36 Patch 2’ for ATP – ZLD, USG FLEX, and VPN- ZLD, and ‘ZLD V4.73 Patch 2’ for ZyWALL.

POPULAR STORIES

Zyxel warns of critical vulnerabilities in firewall and VPN devices

 
  • May 25, 2023
  •  
  • 09:31 AM
  •  
  • 0

Zyxel warns of critical vulnerabilities in firewall and VPN devices

Zyxel is warning customers of two critical-severity vulnerabilities in several of its firewall and VPN products that attackers could leverage without authentication.

Both security issues are buffer overflows and could allow denial-of-service (DoS) and remote code execution on vulnerable devices.

“Zyxel has released patches for firewalls affected by multiple buffer overflow vulnerabilities,” the vendor says in a security advisory. “Users are advised to install them for optimal protection,” the company adds.

Buffer overflow issues allow memory manipulation, enabling attackers to write data beyond the allocated section. They typically lead to system crashes but in some cases successful exploitation can allow code execution on the device.

Zyxel’s latest patch addresses the following problems:

  1. CVE-2023-33009: A buffer overflow vulnerability in the notification function in some Zyxel products, allowing an unauthenticated attacker to perform remote code execution or impose DoS conditions. (critical severity score of 9.8)
  2. CVE-2023-33010: A buffer overflow vulnerability in the ID processing function in some Zyxel products, allowing an unauthenticated attacker to perform remote code execution or impose DoS conditions. (critical severity score of 9.8)

The company says that vulnerable devices are running the following firmware:

  • Zyxel ATP firmware versions ZLD V4.32 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2)
  • Zyxel USG FLEX firmware versions ZLD V4.50 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2)
  • Zyxel USG FLEX50(W) / USG20(W)-VPN firmware versions ZLD V4.25 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2)
  • Zyxel VPN firmware versions ZLD V4.30 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2)
  • Zyxel ZyWALL/USG firmware versions ZLD V4.25 to V4.73 Patch 1 (fixed in ZLD V4.73 Patch 2)

The vendor recommends users of the impacted products apply the newest security updates as soon as possible to eliminate the risk of hackers exploiting the two flaws.

Devices running the vulnerable versions above are used by small to medium-size businesses to protect their network and to allow secure network access (VPNs) to remote or home-based workers.

Threat actors keep a watchful eye on any critical flaws that impact such devices as they could facilitate easy access to corporate networks.

Last week, cybersecurity researcher Kevin Beaumont reported that a command injection flaw that Zyxel fixed in April is actively exploited and it impacts the same firewall and VPN products as this time.

Last year, CISA published a warning about hackers leveraging a remote code execution flaw in Zyxel firewall and VPN devices, urging system administrators to apply the firmware patches as soon as possible.


No comments: