API security, Network Security

Patches issued for Zyxel firewall product vulnerabilities

Distributed cloud firewalls

SecurityWeek reports that four vulnerabilities impacting some Zyxel firewall and access point offerings have been addressed by the Taiwanese networking device manufacturer in newly released patches.

Threat actors could leverage the null pointer deference flaw, tracked as CVE-2023-6397, to facilitate denial-of-service conditions in vulnerable firewalls with activated "Anti-Malware" functionality, while the post-authentication command injection bug, tracked as CVE-2023-6398, could be exploited to enable operating system command execution through FTP among attackers with admin privileges, according to an advisory from Zyxel. Similar DoS conditions could be achieved by threat actors with IPSec VPN authentication through the abuse of the format string security issue, tracked as CVE-2023-6399, while another format string within IPSec VPN, tracked as CVE-2023-6764, could be exploited to cause unauthenticated remote code execution. However, Zyxel emphasized the challenges involved in exploiting the second format string bug, which needs an extensive awareness of both the configuration and memory layout of the targeted device.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.