Rewterz Threat Alert – Mirai Botnet aka Katana – Active IOCs
June 6, 2023Rewterz Threat Advisory – Update On Multiple WordPress Plugins Vulnerabilities
June 6, 2023Rewterz Threat Alert – Mirai Botnet aka Katana – Active IOCs
June 6, 2023Rewterz Threat Advisory – Update On Multiple WordPress Plugins Vulnerabilities
June 6, 2023Severity
High
Analysis Summary
Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting Zyxel firewalls to its Known Exploited Vulnerabilities catalog. These vulnerabilities, namely CVE-2023-33009 and CVE-2023-33010, are classified as buffer overflow vulnerabilities that can be exploited by attackers without authentication. Successful exploitation of these vulnerabilities can lead to two significant security risks: denial-of-service (DoS) attacks and remote code execution.
Zyxel, the vendor of the affected firewalls, responded promptly by releasing patches for these vulnerabilities on May 24, 2023. The patches address the security flaws in various models and versions of Zyxel firewalls, including ATP (versions ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), USG FLEX (versions ZLD V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), USG FLEX50(W) / USG20(W)-VPN (versions ZLD V4.25 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), VPN (versions ZLD V4.30 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), and ZyWALL/USG (versions ZLD V4.25 to V4.73 Patch 1, patched in ZLD V4.73 Patch 2).
While specific details regarding the exploitation of these vulnerabilities are not disclosed, it is noteworthy that Zyxel firewalls were recently targeted by another vulnerability (CVE-2023-28771), which was actively exploited to recruit vulnerable devices into a Mirai botnet. This highlights the significance of promptly addressing vulnerabilities and applying necessary security patches and updates to mitigate potential risks.
In response to these vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies have been mandated to remediate the identified vulnerabilities by June 26, 2023. This requirement aims to ensure that the networks of these agencies are adequately secured against potential threats that may exploit the Zyxel firewall vulnerabilities.
Zyxel has provided additional guidance to its customers, recommending specific security measures. They advise customers to disable HTTP/HTTPS services from the WAN (Wide Area Network) unless absolutely necessary. Additionally, Zyxel recommends disabling UDP (User Datagram Protocol) ports 500 and 4500 if they are not actively used. These proactive steps can help minimize the attack surface and reduce the potential impact of exploitation.
It is also worth mentioning that Zyxel is addressing two other vulnerabilities in their product ecosystem. They are working on fixing flaws in their GS1900 series switches (CVE-2022-45853) and 4G LTE and 5G NR outdoor routers (CVE-2023-27989). These vulnerabilities, if exploited, can result in privilege escalation and denial-of-service (DoS) attacks.
In summary, the inclusion of the Zyxel firewall vulnerabilities in the CISA Known Exploited Vulnerabilities catalog highlights the importance of prompt patching and proactive security measures. Organizations, particularly FCEB agencies, should prioritize the remediation of these vulnerabilities (CVE-2023-33009 and CVE-2023-33010) to safeguard their networks against potential threats. Following Zyxel’s guidance on disabling unnecessary services and ports can further enhance the security posture of their systems.
Impact
- Denial of Service
- Code Execution
CVE
- CVE-2023-33009
- CVE-2023-33010
Remediation
- Refer to Zyxel Web site for patch, upgrade or suggested workaround information.
- Apply the patches: Ensure that the latest security patches released by Zyxel for the affected firewalls are applied promptly. These patches address the identified buffer overflow vulnerabilities and provide necessary fixes to mitigate the risk of denial-of-service (DoS) attacks and remote code execution.
- Update firmware: Keep the firewall firmware up to date with the latest versions provided by Zyxel. Firmware updates often include security enhancements and bug fixes that can help protect against known vulnerabilities.
- Educate users and administrators: Raise awareness among users and administrators about the risks associated with the vulnerabilities and the importance of promptly applying patches and updates. Educate them about best practices for firewall configuration and security hygiene to minimize the chances of successful exploitation.