Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting Zyxel firewalls to its Known Exploited Vulnerabilities catalog. These vulnerabilities, namely CVE-2023-33009 and CVE-2023-33010, are classified as buffer overflow vulnerabilities that can be exploited by attackers without authentication. Successful exploitation of these vulnerabilities can lead to two significant security risks: denial-of-service (DoS) attacks and remote code execution.
Zyxel, the vendor of the affected firewalls, responded promptly by releasing patches for these vulnerabilities on May 24, 2023. The patches address the security flaws in various models and versions of Zyxel firewalls, including ATP (versions ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), USG FLEX (versions ZLD V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), USG FLEX50(W) / USG20(W)-VPN (versions ZLD V4.25 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), VPN (versions ZLD V4.30 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), and ZyWALL/USG (versions ZLD V4.25 to V4.73 Patch 1, patched in ZLD V4.73 Patch 2).
While specific details regarding the exploitation of these vulnerabilities are not disclosed, it is noteworthy that Zyxel firewalls were recently targeted by another vulnerability (CVE-2023-28771), which was actively exploited to recruit vulnerable devices into a Mirai botnet. This highlights the significance of promptly addressing vulnerabilities and applying necessary security patches and updates to mitigate potential risks.
In response to these vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies have been mandated to remediate the identified vulnerabilities by June 26, 2023. This requirement aims to ensure that the networks of these agencies are adequately secured against potential threats that may exploit the Zyxel firewall vulnerabilities.
Zyxel has provided additional guidance to its customers, recommending specific security measures. They advise customers to disable HTTP/HTTPS services from the WAN (Wide Area Network) unless absolutely necessary. Additionally, Zyxel recommends disabling UDP (User Datagram Protocol) ports 500 and 4500 if they are not actively used. These proactive steps can help minimize the attack surface and reduce the potential impact of exploitation.
It is also worth mentioning that Zyxel is addressing two other vulnerabilities in their product ecosystem. They are working on fixing flaws in their GS1900 series switches (CVE-2022-45853) and 4G LTE and 5G NR outdoor routers (CVE-2023-27989). These vulnerabilities, if exploited, can result in privilege escalation and denial-of-service (DoS) attacks.
In summary, the inclusion of the Zyxel firewall vulnerabilities in the CISA Known Exploited Vulnerabilities catalog highlights the importance of prompt patching and proactive security measures. Organizations, particularly FCEB agencies, should prioritize the remediation of these vulnerabilities (CVE-2023-33009 and CVE-2023-33010) to safeguard their networks against potential threats. Following Zyxel’s guidance on disabling unnecessary services and ports can further enhance the security posture of their systems.