Zyxel Fixes Critical Operating System Command Injection Vulnerability in Wireless Access Points and Routers

September 04, 2024Ravie LakshmananVulnerability / Network Security

Zyxel has rolled out software updates to fix a crucial security issue affecting specific access point (AP) and security router versions that could potentially lead to the running of unauthorized commands.

Identified as CVE-2024-7261 (CVSS score: 9.8), the vulnerability has been characterized as an instance of operating system (OS) command injection.

“The inadequate neutralization of special elements in the parameter ‘host’ in the CGI program of some AP and security router versions might enable an unauthenticated attacker to perform OS commands by dispatching a tailored cookie to a vulnerable device,” Zyxel stated in an advisory.

The detection and reporting of the flaw have been credited to Chengchao Ai from the ROIS team of Fuzhou University.

Zyxel has also delivered patches for seven vulnerabilities in its routers and firewalls, including some of high severity, which could lead to OS command execution, a denial-of-service (DoS), or access to browser-based information –

• CVE-2024-5412 (CVSS score: 7.5) – An overflow vulnerability in the “libclinkc” library that could permit an unauthorized attacker to instigate DoS conditions with a specially designed HTTP request

• CVE-2024-6343 (CVSS score: 4.9) – An overflow vulnerability that an authenticated attacker with admin privileges could exercise to trigger DoS conditions by using a specifically crafted HTTP request

• CVE-2024-7203 (CVSS score: 7.2) – A post-authentication command injection vulnerability that an authenticated attacker with admin rights could employ to execute OS commands

• CVE-2024-42057 (CVSS score: 8.1) – A command injection flaw in the IPSec VPN feature that might enable an unauthorized attacker to execute some OS commands

• CVE-2024-42058 (CVSS score: 7.5) – A null pointer decline vulnerability that could let an unauthorized attacker to cause DoS states by transmitting forged packets

• CVE-2024-42059 (CVSS score: 7.2) – A post-authentication command injection vulnerability that could allow an authenticated attacker with admin rights to execute a few OS commands by uploading a specifically crafted compressed language file through FTP

• CVE-2024-42060 (CVSS score: 7.2) – A post-authentication command injection vulnerability in certain firewall versions that could enable an authenticated attacker with admin rights to execute specific OS commands

• CVE-2024-42061 (CVSS score: 6.1) – A reflected cross-site scripting (XSS) vulnerability in the CGI program “dynamic_script.cgi” that could enable an attacker to deceive a user into visiting a crafted URL with the XSS payload and capture browser-based information

The announcement coincides with D-Link announcing four security flaws impacting its DIR-846 router, comprising two crucial remote command execution vulnerabilities (CVE-2024-44342, CVSS score: 9.8) that will not be fixed due to the products hitting end-of-life (EoL) status as of February 2020, prompting customers to upgrade to supported versions.