Zyxel published guidance for protecting devices from ongoing attacks

Zyxel
has
published
guidance
for
protecting
firewall
and
VPN
devices
from
the
ongoing
attacks
recently
discovered.

Zyxel
has
published
guidance
for
protecting
firewall
and
VPN
devices
from
ongoing
attacks
exploiting
 CVE-2023-28771, CVE-2023-33009,
and CVE-2023-33010
vulnerabilities.

“Simultaneously,
Zyxel
has
been
urging
users
to
install
the
patches
through
multiple
channels,
including
issuing
several
security
advisory
newsletters
to
registered
users
and
advisory
subscribers;
notifying
users
to
upgrade
via
the
Web
GUI’s
push
notification
for
on-premises
devices;
and
enforcing
scheduled
firmware
upgrades
for
cloud-based
devices
that
haven’t
yet
done
so.”
reads
the


guidance
published
by
the
vendor.

Threat
actors
are
actively
attempting
to
exploit
the
command
injection
vulnerability
 CVE-2023-28771
impacting
Zyxel
firewalls.
Their
objective
is
to
leverage
this
vulnerability
to
deploy
and
install
malware
on
the
affected
systems.
US
CISA added the
vulnerability
to
its
Known
Exploited
Vulnerability
to
Catalog
based
on
evidence
of
active
exploitation.

In
late
April,
Zyxel
addressed
the
critical
vulnerability
CVE-2023-28771
(CVSS
score
9.8)
in
its
firewall
devices.
The
company
promptly
advised
customers
to
install
the
provided
patches
in
order
to
mitigate
the
vulnerability.

The
vulnerability
is
being
actively
exploited
to
recruit
vulnerable
devices
in
a Mirai-like
botnet.

The
other
two
issues,
tracked
as CVE-2023-33009 and CVE-2023-33010,
are
critical
buffer
overflow
vulnerabilities.
A
remote,
unauthenticated
attacker
can
can
trigger
the
flaws
to
cause
a
denial-of-service
(DoS)
condition
and
remote
code
execution
on
vulnerable
devices.

The
company
states
that
devices
under
attack
become
unresponsive
and
their
Web
GUI
or
SSH
management
interface
are
not
reachable.

Symptoms
of
attacks
include
network
interruptions
and
VPN
connections
disconnecting.

The
following
table
includes
products
and
firmware
versions
affected
by
these
flaws
and
the
latest
firmware
updates
addressing
the
issues.

Zyxel
also
provides
mitigation
measures
for
these
vulnerabilities
such
as
disabling
HTTP/HTTPS
services
from
WAN
(Wide
Area
Network).

If
admins
need
to
manage
devices
from
the
WAN
side,
enable
Policy
Control
and
add
rules
to
only
allow
access
from
trusted
source
IP
addresses.
The
guidance
also
recommends
enabling
GeoIP
filtering
to
only
allow
access
from
trusted
locations.

Zyxel
also
recommends
disabling
UDP
Port
500
and
Port
4500
if
there
is
no
requirement
for
the
IPSec
VPN
function

Follow
me
on
Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, firewall)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts