Zyxel Shares Tips on Protecting Firewalls From Ongoing Attacks.

Cyber Security Threat Summary:
“Zyxel has published a security advisory containing guidance on protecting firewall and VPN devices from ongoing attacks and detecting signs of exploitation. This warning comes in response to multiple reports of widespread exploitation of the CVE-2023-28771 and the exploitability and severity of CVE-2023-33009 and CVE-2023-33010, all impacting Zyxel VPN and firewall devices. ‘Zyxel has been urging users to install the patches through multiple channels, including issuing several security advisory newsletters to registered users and advisory subscribers; notifying users to upgrade via the Web GUI's push notification for on-premises devices; and enforcing scheduled firmware upgrades for cloud-based devices that haven't yet done so," warns Zyxel's security advisory’”(Bleeping Computer, 2023).



The flaws impact the following products:

ATP – ZLD V4.60 to V5.35 USG FLEX – ZLD V4.60 to V5.35 VPN- ZLD V4.60 to V5.35 ZyWALL/USG – ZLD V4.60 to V4.73

They were addressed by Zyxel on April 25, 2023, during which the vendor warned users to apply the latest updates including: 'ZLD V5.36 Patch 2' for ATP – ZLD, USG FLEX and VPN- ZLD, and 'ZLD V4.73 Patch 2' for ZyWALL. In addition, the vendor is also recommending users to:

Unless it is absolutely necessary for you to manage devices from the WAN side, disable HTTP/HTTPS services from WAN. If you still need to manage devices from the WAN side: Enable Policy Control and add rules to only allow access from trusted source IP addresses; and Enable GeoIP filtering to only allow access from trusted locations. If you don’t need to use the IPSec VPN function, disable the UDP Port 500 and Port 4500 as shown below.

Security Officer Comments:
CVE-2023-28771 relates to improper error message handling which could enable unauthenticated threat actors to remotely execute OS commands on vulnerable devices via specially crafted packets. As for CVE-2022-33009 and CVE-2023-33010, both relate to a buffer overflow bug that could be leveraged to launch denial-of-service attacks and enable remote code execution on an affected product. Based on several reports, CVE-2023-28771 in particular is actively being exploited in attacks in the wild, with the attackers abusing the flaw to install Mirai botnet malware on impacted devices. Given that Mirai botnet malware is being installed, the compromised devices could further be leveraged to launch DDoS attacks on targeted individuals/organizations.

Suggested Correction(s):
CISA has added the flaws to its catalog of known exploited vulnerabilities, urging organizations to apply the updates by June 21, 2023.

Link(s):
https://www.bleepingcomputer.com/