Security News > 2023 > June > Zyxel firewalls under attack by Mirai-like botnet

Zyxel firewalls under attack by Mirai-like botnet
2023-06-01 08:41

CVE-2023-28771, the critical command injection vulnerability affecting many Zyxel firewalls, is being actively exploited by a Mirai-like botnet, and has been added to CISA's Known Exploited Vulnerabilities catalog.

CVE-2023-28771 is a vulnerability that allows unauthenticated attackers to execute OS commands remotely by sending crafted IKE packets to an affected device.

"While Internet Key Exchange is the protocol used to initiate this exploit, it's not a vulnerability in IKE itself, but it seems to be a result of this rogue debugging function that shouldn't have made it into a production build of the firmware. But since IKE is the only known protocol where the path to this vulnerability can be triggered, it's much more likely that only the Zyxel devices that are running IKE are actually vulnerable to this attack," Censys researchers explained.

"This vulnerability stems from a problematic logging function. Instead of employing a secure file handling mechanism by opening up a file handle and writing data to that handle, Zyxel chose a different approach: They constructed an"echo" command by incorporating user-controlled input data.

"These devices are deployed in all sorts of residential and business networks, both large and small. So the majority of networks these devices can be found in will be telecoms and other types of service providers," they noted.

Those who have implemented the necessary update in time are advised to update again: Zyxel has relased new patches to fix two buffer overflow flaws in those same firewalls on May 24.


News URL

https://www.helpnetsecurity.com/2023/06/01/cve-2023-28771-exploited/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-04-25 CVE-2023-28771 OS Command Injection vulnerability in Zyxel products
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
network
low complexity
zyxel CWE-78
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zyxel 485 3 121 77 45 246