CVE-2022-26531

24.05.2022, 06:15

Multiple improper input validation flaws were identified in some CLI commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.1 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Zyxel	CNA	6.1 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 75%

Vendor	Product	Version
zyxel	vpn100_firmware	4.30 ≤ 𝑥 ≤ 5.21
zyxel	vpn1000_firmware	4.30 ≤ 𝑥 ≤ 5.21
zyxel	vpn300_firmware	4.30 ≤ 𝑥 ≤ 5.21
zyxel	vpn50_firmware	4.30 ≤ 𝑥 ≤ 5.21
zyxel	atp100_firmware	4.32 ≤ 𝑥 ≤ 5.21
zyxel	atp100w_firmware	4.32 ≤ 𝑥 ≤ 5.21
zyxel	atp200_firmware	4.32 ≤ 𝑥 ≤ 5.21
zyxel	atp500_firmware	4.32 ≤ 𝑥 ≤ 5.21
zyxel	atp700_firmware	4.32 ≤ 𝑥 ≤ 5.21
zyxel	atp800_firmware	4.32 ≤ 𝑥 ≤ 5.21
zyxel	usg_110_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg_1100_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg_1900_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg_20w_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg_20w-vpn_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg_2200-vpn_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg_310_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg_40_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg_40w_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg_60_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg_60w_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg_flex_100_firmware	4.50 ≤ 𝑥 ≤ 5.21
zyxel	usg_flex_100w_firmware	4.50 ≤ 𝑥 ≤ 5.21
zyxel	usg_flex_200_firmware	4.50 ≤ 𝑥 ≤ 5.21
zyxel	usg_flex_500_firmware	4.50 ≤ 𝑥 ≤ 5.21
zyxel	usg_flex_700_firmware	4.50 ≤ 𝑥 ≤ 5.21
zyxel	usg200_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg20_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg210_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg2200_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg300_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	usg310_firmware	4.09 ≤ 𝑥 ≤ 4.71
zyxel	nsg300_firmware	1.00 ≤ 𝑥 < 1.33
zyxel	nsg300_firmware	1.33
zyxel	nsg300_firmware	1.33:patch1
zyxel	nsg300_firmware	1.33:patch2
zyxel	nsg300_firmware	1.33:patch3
zyxel	nsg300_firmware	1.33:patch4
zyxel	nsg100_firmware	1.00 ≤ 𝑥 < 1.33
zyxel	nsg100_firmware	1.33
zyxel	nsg100_firmware	1.33:patch1
zyxel	nsg100_firmware	1.33:patch2
zyxel	nsg100_firmware	1.33:patch3
zyxel	nsg100_firmware	1.33:patch4
zyxel	nsg50_firmware	1.00 ≤ 𝑥 < 1.33
zyxel	nsg50_firmware	1.33
zyxel	nsg50_firmware	1.33:patch1
zyxel	nsg50_firmware	1.33:patch2
zyxel	nsg50_firmware	1.33:patch3
zyxel	nsg50_firmware	1.33:patch4
zyxel	nxc2500_firmware	𝑥 ≤ 6.10\(aaig.3\)
zyxel	nxc5500_firmware	𝑥 ≤ 6.10\(aaos.3\)
zyxel	nap203_firmware	𝑥 ≤ 6.25\(abfa.7\)
zyxel	nap303_firmware	𝑥 ≤ 6.25\(abex.7\)
zyxel	nap353_firmware	𝑥 ≤ 6.25\(abey.7\)
zyxel	nwa50ax_firmware	𝑥 ≤ 6.25\(abyw.5\)
zyxel	nwa55axe_firmware	𝑥 ≤ 6.25\(abzl.5\)
zyxel	nwa90ax_firmware	𝑥 ≤ 6.27\(accv.2\)
zyxel	nwa110ax_firmware	𝑥 ≤ 6.30\(abtg.2\)
zyxel	nwa210ax_firmware	𝑥 ≤ 6.30\(abtd.2\)
zyxel	nwa1123-ac-hd_firmware	𝑥 ≤ 6.25\(abin.6\)
zyxel	nwa1123-ac-pro_firmware	𝑥 ≤ 6.25\(abhd.7\)
zyxel	nwa1123acv3_firmware	𝑥 ≤ 6.30\(abvt.2\)
zyxel	nwa1302-ac_firmware	𝑥 ≤ 6.25\(abku.6\)
zyxel	nwa5123-ac-hd_firmware	𝑥 ≤ 6.25\(abim.6\)
zyxel	wac500h_firmware	𝑥 ≤ 6.30\(abwa.2\)
zyxel	wac500_firmware	𝑥 ≤ 6.30\(abvs.2\)
zyxel	wac5302d-s_firmware	𝑥 ≤ 6.10\(abfh.10\)
zyxel	wac5302d-sv2_firmware	𝑥 ≤ 6.25\(abvz.6\)
zyxel	wac6103d-i_firmware	𝑥 ≤ 6.25\(aaxh.7\)
zyxel	wac6303d-s_firmware	𝑥 ≤ 6.25\(abgl.6\)
zyxel	wac6502d-e_firmware	𝑥 ≤ 6.25\(aasd.7\)
zyxel	wac6502d-s_firmware	𝑥 ≤ 6.25\(aase.7\)
zyxel	wac6503d-s_firmware	𝑥 ≤ 6.25\(aasf.7\)
zyxel	wac6553d-s_firmware	𝑥 ≤ 6.25\(aasg.7\)
zyxel	wac6552d-s_firmware	𝑥 ≤ 6.25\(abio.7\)
zyxel	wax510d_firmware	𝑥 ≤ 6.30\(abtf.2\)
zyxel	wax610d_firmware	𝑥 ≤ 6.30\(abte.2\)
zyxel	wax630s_firmware	𝑥 ≤ 6.30\(abzd.2\)
zyxel	wax650s_firmware	𝑥 ≤ 6.30\(abrm.2\)

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

http://packetstormsecurity.com/files/167464/Zyxel-Buffer-Overflow-Format-String-Command-Injection.html

http://packetstormsecurity.com/files/177036/Zyxel-zysh-Format-String-Proof-Of-Concept.html

http://seclists.org/fulldisclosure/2022/Jun/15

https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml

http://packetstormsecurity.com/files/167464/Zyxel-Buffer-Overflow-Format-String-Command-Injection.html

http://packetstormsecurity.com/files/177036/Zyxel-zysh-Format-String-Proof-Of-Concept.html

http://seclists.org/fulldisclosure/2022/Jun/15

https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml