Security News > 2023 > June > Zyxel firewalls under attack by Mirai-like botnet
CVE-2023-28771, the critical command injection vulnerability affecting many Zyxel firewalls, is being actively exploited by a Mirai-like botnet, and has been added to CISA's Known Exploited Vulnerabilities catalog.
CVE-2023-28771 is a vulnerability that allows unauthenticated attackers to execute OS commands remotely by sending crafted IKE packets to an affected device.
"While Internet Key Exchange is the protocol used to initiate this exploit, it's not a vulnerability in IKE itself, but it seems to be a result of this rogue debugging function that shouldn't have made it into a production build of the firmware. But since IKE is the only known protocol where the path to this vulnerability can be triggered, it's much more likely that only the Zyxel devices that are running IKE are actually vulnerable to this attack," Censys researchers explained.
"This vulnerability stems from a problematic logging function. Instead of employing a secure file handling mechanism by opening up a file handle and writing data to that handle, Zyxel chose a different approach: They constructed an"echo" command by incorporating user-controlled input data.
"These devices are deployed in all sorts of residential and business networks, both large and small. So the majority of networks these devices can be found in will be telecoms and other types of service providers," they noted.
Those who have implemented the necessary update in time are advised to update again: Zyxel has relased new patches to fix two buffer overflow flaws in those same firewalls on May 24.
News URL
https://www.helpnetsecurity.com/2023/06/01/cve-2023-28771-exploited/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-04-25 | CVE-2023-28771 | OS Command Injection vulnerability in Zyxel products Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device. | 9.8 |