On Wednesday, the 24th of May, 2023, Zyxel released a security advisory for several vulnerabilities capable of granting unauthenticated remote code execution (RCE) in their line of Firewall and VPN products, tracked as CVE-2023-33009 and CVE-2023-33010. These buffer overflow vulnerabilities are also capable of inducing denial of service conditions.
Several threat actors, such as the group operating the Mirai botnet, have exploited other vulnerabilities similar to this one in Zyxel products; this includes CVE-2023-28771, a vulnerability in Zyxel ZyWALL/USG appliances that was used for remote code execution. Additionally, CISA’s Known Exploited Vulnerabilities Catalog includes 3 known vulnerabilities in Zyxel products at this time (CVE-2022-30525, CVE-2020-9054, CVE-2020-29583).
While a public proof-of-concept (POC) exploit is not yet available for these vulnerabilities, Arctic Wolf Labs assesses that this vulnerability presents a high risk of future exploitation by threat actors, and strongly recommends that customers identify if they are running any devices affected by these vulnerabilities in the table listed below. Any affected organisations should apply applicable patches as part of their regular patching schedule.
|Affected model||Affected firmware version||Patch availability|
|ATP||ZLD V4.32 to V5.36 Patch 1||ZLD V5.36 Patch 2|
|USG FLEX||ZLD V4.50 to V5.36 Patch 1||ZLD V5.36 Patch 2|
|USG FLEX50(W) / USG20(W)-VPN||ZLD V4.25 to V5.36 Patch 1||ZLD V5.36 Patch 2|
|VPN||ZLD V4.30 to V5.36 Patch 1||ZLD V5.36 Patch 2|
|ZyWALL/USG||ZLD V4.25 to V4.73 Patch 1||ZLD V4.73 Patch 2|
Recommendations for CVE-2023-33009 and CVE-2023-33010
Recommendation #1: Apply the necessary patches for Zyxel products within your organisation
If you have Zyxel devices in your environment, we recommend that you review the table of affected devices listed above and apply patches where necessary. Zyxel provides instructions on how to update to the latest firmware versions at the following page: https://support.zyxel.eu/hc/en-us/articles/9207995518610-Firmware-Update-Upgrade-Procedure-USG-ATP-VPN
Recommendation #2: Limit access to web-based administration from the WAN interface
As a security best practice, Zyxel has previously recommended limiting access to web services on the WAN interface of these appliances.
While it is not known if this recommendation would mitigate this specific vulnerability, any practice limiting the attack surface is worthy of consideration.
For more details, see the guidance provided on this article: https://therecord.media/zyxel-says-a-threat-actor-is-targeting-its-enterprise-firewall-and-vpn-devices?web_view=true.