Critical flaw in Zyxel’s secure routers allows OS command execution via cookie (CVE-2024-7261)
Zyxel has patched a myriad of vulnerabilities in its various networking devices, including a critical one (CVE-2024-7261) that may allow unauthenticated attackers to execute OS commands on many Zyxel access points (APs) and security routers by sending a specially crafted cookie to the vulnerable devices.
CVE-2024-7261
CVE-2024-7261 is an OS command injection vulnerability that stems from the improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions.
Privately reported to Zyxel by Chengchao Ai, from the ROIS team of Fuzhou University, the vulnerability affects:
- Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier
- WAC500 firmware version 6.70(ABVS.4) and earlier
- WAX655E firmware version 7.00(ACDO.1) and earlier
- WBE530 firmware version 7.00(ACLE.1) and earlier, and
- USG LITE 60AX firmware version V2.00(ACIP.2)
Patches for all have been made available, and users are advised to upgrade their devices as soon as possible. Zyxel doesn’t mention any possible workarounds or available mitigations.
Multiple vulnerabilities in Zyxel firewalls
Zyxel has fixed seven vulnerabilities affecting its APT, USG Flex, USG Flex 50(W), and USG20(W)-VPN firewalls / unified security gateways, which are intended for use by small and medium-size businesses, as well as at branch locations.
The list includes four vulnerabilities – leading to DoS or allowing command injection and execution – that can only be exploited if the attacker has admin level privileges and is authenticated (CVE-2024-6343, CVE-2024-7203, CVE-2024-42059, CVE-2024-42060).
The remaining three (CVE-2024-42057, CVE-2024-42058, CVE-2024-42061) could allow an unauthenticated attacker to execute OS commands on an affected device, cause DoS, or to obtain browser-based information after a user is tricked into visiting a crafted URL with the XSS payload.
CVE-2024-5412
A buffer overflow vulnerability (CVE-2024-5412) in the library “libclinkc” of some of Zyxel’s 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices may allow an unauthenticated attacker to trigger a denial of service (DoS) condition by sending a specially crafted HTTP request to a vulnerable device.
Patches are immediately available for a small number of devices, but most of them are available to end users if they contact their local Zyxel support team.
“For end-users who received your Zyxel device from an ISP, we recommend you reach out to the ISP’s support team directly, as the device may have custom-built settings,” the company advised. “For ISPs, please contact your Zyxel sales or service representatives for further details.”