SecurityWeek reports that four vulnerabilities impacting some Zyxel firewall and access point offerings have been addressed by the Taiwanese networking device manufacturer in newly released patches.
Threat actors could leverage the null pointer deference flaw, tracked as CVE-2023-6397, to facilitate denial-of-service conditions in vulnerable firewalls with activated "Anti-Malware" functionality, while the post-authentication command injection bug, tracked as CVE-2023-6398, could be exploited to enable operating system command execution through FTP among attackers with admin privileges, according to an advisory from Zyxel. Similar DoS conditions could be achieved by threat actors with IPSec VPN authentication through the abuse of the format string security issue, tracked as CVE-2023-6399, while another format string within IPSec VPN, tracked as CVE-2023-6764, could be exploited to cause unauthenticated remote code execution. However, Zyxel emphasized the challenges involved in exploiting the second format string bug, which needs an extensive awareness of both the configuration and memory layout of the targeted device.
API security, Network Security
Patches issued for Zyxel firewall product vulnerabilities
SC StaffToday’s columnist, Rod Stuhlmuller of Aviatrix, explains distributed cloud firewalls and how they are up to the task of securing today’s cloud environments. (Stock Photo, Getty Images)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news