3 min read

Critical Remote Code Execution Vulnerability in Zyxel Devices: CVE-2023-28771 Analysis and Mitigation Strategies

Executive Summary

CVE-2023-28771 is a critical vulnerability identified in various Zyxel network devices, including the ZyWALL/USG series, VPN series, and others. This vulnerability arises from improper error message handling in the Internet Key Exchange (IKE) packet decoder, which is part of the IPSec VPN service offered by these devices. Successful exploitation allows an unauthenticated attacker to execute arbitrary code remotely on the target system. This vulnerability has been actively exploited in the wild, posing a significant risk to organizations using affected Zyxel devices. Immediate action is required to patch the devices and implement additional security measures to prevent exploitation.

Technical Information

CVE-2023-28771 is a critical vulnerability that affects several Zyxel network devices, including the ZyWALL/USG series, VPN series, and others. The vulnerability arises from improper error message handling in the Internet Key Exchange (IKE) packet decoder, which is part of the IPSec VPN service offered by these devices. The vulnerability allows an unauthenticated attacker to execute arbitrary code remotely on the target system by sending specially crafted IKEv2 requests.

The vulnerability has been assigned a CVE ID of CVE-2023-28771 and has been rated as critical with a severity score of 9.8 out of 10. The attack vector for this vulnerability is the network, and the impact is remote code execution (RCE). The exploitability of this vulnerability is high, making it a significant threat to organizations using affected Zyxel devices.

The vulnerability affects the following Zyxel products: - Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73 - Zyxel VPN series firmware versions 4.60 through 5.35 - Zyxel ATP, USG FLEX, and other related series

The vulnerability arises from improper error message handling in the IKE packet decoder. When an attacker sends a specially crafted IKEv2 request to the target device, the IKE packet decoder fails to handle the error message properly, leading to a buffer overflow. This buffer overflow allows the attacker to execute arbitrary code on the target system with root privileges.

Exploitation in the Wild

According to multiple sources, there has been widespread exploitation of this vulnerability in the wild. Attackers are leveraging this flaw to execute arbitrary commands on vulnerable devices by sending specially crafted IKEv2 requests. This has led to unauthorized access and potential control over affected systems.

CISA Known Exploited Vulnerabilities Catalog has reported the exploitation of this vulnerability on 2023-05-31. The Packet Storm Security website provides detailed information about the exploit, including a Metasploit module that exploits a remote unauthenticated command injection vulnerability in the IKE packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are vulnerable in a default configuration, and command execution is with root privileges. The SHA-256 hash for the exploit is 3332119f6d5058915a969972306dbb9e73aceea251afd2cffb7a4ddeec5a1966.

Several GitHub Proof of Concept (PoC) Repositories have also been published, including: - BenHays142 PoC - WhiteOwl-Pub PoC - WhiteOwl-Pub Zyxel PoC - benjaminhays PoC - fed-speak PoC - Rapid7 Metasploit Module

APT Groups using this vulnerability

No specific APT groups have been publicly identified as exploiting CVE-2023-28771 according to the CVE Threat Actors Finder tool. However, the nature of the vulnerability and its exploitation vector suggest that it could be of interest to state-sponsored actors and advanced persistent threats (APTs) focusing on network infrastructure.

Affected Product Versions

The following Zyxel products are affected by CVE-2023-28771: - Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73 - Zyxel VPN series firmware versions 4.60 through 5.35 - Zyxel ATP, USG FLEX, and other related series

Workaround and Mitigation

To mitigate the risk posed by CVE-2023-28771, organizations should take the following steps:

Patch Management: Zyxel has released patches for the affected firmware versions. It is crucial to update to the latest firmware versions to mitigate this vulnerability. The firmware updates can be found on the Zyxel Firmware Updates page.
Network Monitoring: Implement network monitoring to detect unusual IKEv2 traffic patterns that may indicate exploitation attempts. This can help identify and respond to potential attacks in real-time.
Access Controls: Restrict access to management interfaces and ensure that only trusted IP addresses can communicate with the device. This can help prevent unauthorized access and reduce the attack surface.

References

For further details and updates, please refer to the following sources: - CISA Known Exploited Vulnerabilities Catalog - Packet Storm Security - BenHays142 PoC - WhiteOwl-Pub PoC - WhiteOwl-Pub Zyxel PoC - benjaminhays PoC - fed-speak PoC - Rapid7 Metasploit Module

Rescana is here for you

Rescana is committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive monitoring, detection, and response capabilities to help you stay ahead of emerging threats. If you have any questions about this report or any other issue, please contact us at ops@rescana.com. We are here to assist you in safeguarding your organization against cybersecurity risks.