CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
84.7%
Firmware version of the Zyxel USG, ATP, VPN is less than 5.37. This Zyxel device firmware is affected by multiple vulnerabilities:
A command injection vulnerability in the Free Time WiFi hotspot feature of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device. (CVE-2023-34139)
A command injection vulnerability in the hotspot management feature of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device if the attacker could trick an authorized administrator to add their IP address to the list of trusted RADIUS clients in advance. (CVE-2023-34138)
A command injection vulnerability in the configuration parser of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled.
(CVE-2023-33012)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(179407);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/07/04");
script_cve_id(
"CVE-2023-28767",
"CVE-2023-33011",
"CVE-2023-33012",
"CVE-2023-34138",
"CVE-2023-34139",
"CVE-2023-34140",
"CVE-2023-34141"
);
script_name(english:"Zyxel USG < 5.37 / ATP < 5.37 / VPN < 5.37 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote security gateway is affected by a remote rode execution vulnerability.");
script_set_attribute(attribute:"description", value:
"Firmware version of the Zyxel USG, ATP, VPN is less than 5.37. This Zyxel device firmware is affected by multiple vulnerabilities:
- A command injection vulnerability in the Free Time WiFi hotspot feature of some firewall versions could allow an
unauthenticated, LAN-based attacker to execute some OS commands on an affected device. (CVE-2023-34139)
- A command injection vulnerability in the hotspot management feature of some firewall versions could allow an unauthenticated,
LAN-based attacker to execute some OS commands on an affected device if the attacker could trick an authorized administrator
to add their IP address to the list of trusted RADIUS clients in advance. (CVE-2023-34138)
- A command injection vulnerability in the configuration parser of some firewall versions could allow an unauthenticated,
LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled.
(CVE-2023-33012)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?315d4ab6");
script_set_attribute(attribute:"solution", value:
"Upgrade to Zyxel USG / ATP / VPN to version 5.37 or later.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-34141");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-34139");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Zyxel parse_config.py Command Injection');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/07/18");
script_set_attribute(attribute:"patch_publication_date", value:"2023/07/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/08/07");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/h:zyxel:usg_flex");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Firewalls");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("zyxel_usg_web_detect.nbin", "zyxel_usg_detect.nbin");
script_require_keys("installed_sw/Zyxel Unified Security Gateway (USG)");
script_require_ports("Services/www", 80, 443);
exit(0);
}
include('vcf.inc');
var app = 'Zyxel Unified Security Gateway (USG)';
var app_info = vcf::combined_get_app_info(app:app);
var model = app_info['Model'];
var constraints = [];
if(empty_or_null(model))
audit(AUDIT_OS_CONF_UNKNOWN, 'Zyxel device');
if ('ATP' >< model )
constraints = [{ 'min_version' : '4.32', 'fixed_version' : '5.37' }];
else if ('USG FLEX 50W' >< model)
constraints = [{ 'min_version' : '4.50', 'fixed_version' : '5.37' }];
else if ('USG20W-VPN' >< model)
constraints = [{ 'min_version' : '4.16', 'fixed_version' : '5.37' }];
else if ('USG FLEX' >< model)
constraints = [{ 'min_version' : '4.50', 'fixed_version' : '5.37' }];
else if ('VPN' >< model)
constraints = [{ 'min_version' : '4.20', 'fixed_version' : '5.37' }];
else
audit(AUDIT_NOT_INST, 'Zyxel USG / ATP / VPN Device');
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28767
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33011
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33012
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34138
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34139
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34140
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34141
www.nessus.org/u?315d4ab6
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
84.7%