Zyxel Releases Security Updates

Security updates address vulnerabilities in Zyxel ATP, USG, and VPN products.

Threat ID:: CC-4323
Threat Severity:: Information only
Published:: 25 May 2023 3:27 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security updates address vulnerabilities in Zyxel ATP, USG, and VPN products.

Affected platforms

The following platforms are known to be affected:

Versions: ZLD V4.30 to V5.36 Patch 1

Zyxel Virtual Private Network (VPN) Series

Versions: ZLD V4.32 to V5.36 Patch 1

Zyxel ATP

Zyxel Unified Security Gateway (USG) FLEX

USG FLEX
- ZLD V4.50 to V5.36 Patch 1
USG FLEX50(W) / USG20(W)-VPN
- ZLD V4.25 to V5.36 Patch 1
ZyWALL/USG
- ZLD V4.25 to V4.73 Patch 1

Threat details

Introduction

Zyxel has released security updates to address vulnerabilities in a range of products and access points, including Zyxel VPN, ATP and USG. The Critical vulnerability CVE-2023-33009 is centred around buffer overflow, which could be exploited to allow a remote attacker to cause a denial-of-service condition or perform remote code execution.

The second Critical vulnerability CVE-2023-33010 is also a buffer overflow vulnerability, which is found within the ID processing function of the affected firewalls.

Remediation advice

Affected organisations are encouraged to review Zyxel's security advisories for CVE-2023-33009 and CVE-2023-33010 and apply the relevant updates.

Definitive source of threat updates

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls

CVE Vulnerabilities

Status Published

CVE-2023-33009

A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

Status Published

CVE-2023-33010

A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

Last edited: 1 June 2023 1:27 pm