Zyxel, a leading provider of networking solutions, has issued a security advisory alerting users to a critical vulnerability affecting several of its business routers. The flaw, identified as CVE-2024-7261, poses a significant risk as it allows unauthenticated attackers to execute arbitrary operating system commands remotely, potentially compromising the security of affected devices.
Understanding the Vulnerability
CVE-2024-7261 has been assigned a severity score of 9.8 out of 10 on the CVSS v3 scale, categorizing it as “critical.” The vulnerability stems from an input validation flaw due to improper handling of user-supplied data. Specifically, this issue involves the improper neutralization of special elements within the parameter “host” in the CGI program used by certain Zyxel access points (APs) and security routers. An attacker can exploit this flaw by sending a specially crafted cookie to a vulnerable device, which could result in unauthorized command execution on the host operating system.
“The improper neutralization of special elements in the parameter ‘host’ in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device,” Zyxel stated in its security advisory.
Affected Zyxel Devices
Zyxel has provided a list of affected devices, detailing the specific models and the firmware versions vulnerable to CVE-2024-7261. The affected devices include:
- NWA Series: Models such as NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, and NWA220AX-6E are affected in all versions up to 7.00. Users are advised to upgrade to version 7.00(ABYW.2) or later.
- NWA1123-AC PRO: All versions up to 6.28 are vulnerable. Users should upgrade to version 6.28(ABHD.3) or later.
- NWA1123ACv3, WAC500, WAC500H: All versions up to 6.70 are affected. An upgrade to version 6.70(ABVT.5) or later is recommended.
- WAC Series: Models including WAC6103D-I, WAC6502D-S, WAC6503D-S, WAC6552D-S, and WAC6553D-E are vulnerable in all versions up to 6.28. Zyxel suggests upgrading to version 6.28(AAXH.3) or later.
- WAX Series: Devices such as WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, and WAX655E are affected in all versions up to 7.00. The recommended upgrade is to version 7.00(ACHF.2) or later.
- WBE Series: Models WBE530 and WBE660S are affected up to version 7.00. Users should upgrade to version 7.00(ACLE.2) or later.
Additionally, Zyxel has noted that the security router USG LITE 60AX running version V2.00(ACIP.2) is impacted. However, this device receives automatic updates via the cloud to version V2.00(ACIP.3), which contains the necessary patch for CVE-2024-7261.
Additional Vulnerability Patches
Beyond CVE-2024-7261, Zyxel has also released patches for several high-severity vulnerabilities affecting its APT and USG FLEX firewalls. The vulnerabilities addressed include:
- CVE-2024-6343: A buffer overflow in the CGI program could result in a denial-of-service (DoS) condition if an authenticated administrator sends a crafted HTTP request.
- CVE-2024-7203: A post-authentication command injection flaw allows an authenticated administrator to execute OS commands through a specially crafted CLI command.
- CVE-2024-42057: This command injection vulnerability in the IPSec VPN feature can be exploited remotely without authentication. However, its impact is limited by specific configuration requirements, such as using User-Based-PSK authentication mode and having a username exceeding 28 characters in length. This vulnerability has been rated 8.1 (“high”) on the CVSS v3 scale.
- CVE-2024-42058: A null pointer dereference could lead to a DoS condition through crafted packets sent by an unauthenticated attacker.
- CVE-2024-42059: Another post-authentication command injection vulnerability allows an authenticated administrator to execute OS commands by uploading a crafted compressed language file via FTP.
- CVE-2024-42060: A similar post-authentication command injection flaw enables command execution by uploading a crafted internal user agreement file.
- CVE-2024-42061: A reflected cross-site scripting (XSS) vulnerability in “dynamic_script.cgi” could allow an attacker to deceive a user into visiting a specially crafted URL, potentially leading to the exposure of browser-based information.
Mitigation and Recommendations
Zyxel urges users of the affected devices to promptly apply the available security updates to mitigate these vulnerabilities. Keeping firmware up to date is crucial to protect against potential exploitation. Zyxel also recommends network administrators review device configurations and ensure that they follow security best practices, such as restricting access to management interfaces and using strong, unique passwords.
For more detailed information on the specific vulnerabilities and firmware updates, users are encouraged to consult Zyxel’s official security advisory and follow the recommended actions to safeguard their devices against these critical security threats.
Follow us on (Twitter) for real time updates and exclusive content.
I appreciate you sharing this blog post. Thanks Again. Cool.