Atdog

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1 Zyxel USG FLEX series firmware versions from 4.50 through 5.37 Patch 1 Zyxel USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1 Zyxel USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1 **Description** A format string vulnerability in the IPSec VPN feature could allow an attacker to achieve unauthorized remote code execution by sending a sequence of specially crafted payloads containing an invalid pointer. However, such an attack would require detailed knowledge of an affected device’s memory layout and configuration. The vulnerability is related to the use of uncontrolled format strings. **Recommendations** For Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. As a temporary workaround, consider disabling the IPSec VPN feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 4.32 through 5.37 Patch 1 Zyxel USG FLEX series versions 4.50 through 5.37 Patch 1 Zyxel USG FLEX 50(W) series versions 4.16 through 5.37 Patch 1 Zyxel USG20(W)-VPN series versions 4.16 through 5.37 Patch 1 Zyxel USG FLEX H series versions 1.10 through 1.10 Patch 1 **Description** A format string vulnerability could allow an authenticated IPSec VPN user to cause DoS conditions against the `deviceid` daemon by sending a crafted hostname to an affected device if it has the `Device Insight` feature enabled. This issue is related to the use of uncontrolled format strings in the `Device Insight` feature of the affected devices. **Recommendations** For Zyxel ATP series versions 4.32 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX series versions 4.50 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX 50(W) series versions 4.16 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG20(W)-VPN series versions 4.16 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX H series versions 1.10 through 1.10 Patch 1, update to a version later than 1.10 Patch 1. As a temporary workaround, consider disabling the `Device Insight` feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ZyXEL USG FLEX versions 4.50 through 5.37 Patch 1 ZyXEL USG FLEX 50(W)/USG20(W)-VPN versions 4.16 through 5.37 Patch 1 ZyXEL USG FLEX H versions 1.10 through 1.10 Patch 1 ZyXEL ATP series firmware versions 4.32 through 5.37 Patch 1 NWA50AX firmware versions through 6.29(ABYW.3) WAC500 firmware versions through 6.65(ABVS.1) WAX300H firmware versions through 6.60(ACHF.1) WBE660S firmware versions through 6.65(ACGG.1) **Description** The issue is related to a post-authentication command injection vulnerability in the file upload binary, allowing an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device via FTP. This can be achieved by exploiting the vulnerability in the file upload process, which does not properly neutralize special elements used in the command. **Recommendations** For ZyXEL USG FLEX versions 4.50 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For ZyXEL USG FLEX 50(W)/USG20(W)-VPN versions 4.16 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For ZyXEL USG FLEX H versions 1.10 through 1.10 Patch 1, update to a version later than 1.10 Patch 1. For ZyXEL ATP series firmware versions 4.32 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For NWA50AX firmware versions through 6.29(ABYW.3), update to a version later than 6.29(ABYW.3). For WAC500 firmware versions through 6.65(ABVS.1), update to a version later than 6.65(ABVS.1). For WAX300H firmware versions through 6.60(ACHF.1), update to a version later than 6.60(ACHF.1). For WBE660S firmware versions through 6.65(ACGG.1), update to a version later than 6.65(ACGG.1). As a temporary workaround, consider restricting access to the FTP service until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 4.32 through 5.37 Patch 1 Zyxel USG FLEX series versions 4.50 through 5.37 Patch 1 **Description** A null pointer dereference issue in the Anti-Malware feature of Zyxel ATP and USG FLEX series firmware could allow a LAN-based attacker to cause denial-of-service (DoS) conditions by downloading a crafted RAR compressed file onto a LAN-side host. This issue is related to pointer dereference errors and can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Zyxel ATP series versions 4.32 through 5.37 Patch 1, consider disabling the `Anti-Malware` feature until a patch is available. For Zyxel USG FLEX series versions 4.50 through 5.37 Patch 1, consider disabling the `Anti-Malware` feature until a patch is available. As a temporary workaround, avoid using the `Anti-Malware` feature in the affected firmware versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series firmware versions 4.32 through 5.37 Zyxel USG FLEX series firmware versions 4.50 through 5.37 Zyxel USG FLEX 50(W) series firmware versions 4.16 through 5.37 Zyxel USG20(W)-VPN series firmware versions 4.16 through 5.37 Zyxel VPN series firmware versions 4.30 through 5.37 **Description** The issue is related to an integer overflow vulnerability in the QuickSec IPSec toolkit used in the VPN feature of various Zyxel devices. This vulnerability could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions on an affected device by sending a crafted IKE packet. **Recommendations** For Zyxel ATP series firmware versions 4.32 through 5.37, update to a version that fixes the integer overflow vulnerability in the QuickSec IPSec toolkit. For Zyxel USG FLEX series firmware versions 4.50 through 5.37, update to a version that fixes the integer overflow vulnerability in the QuickSec IPSec toolkit. For Zyxel USG FLEX 50(W) series firmware versions 4.16 through 5.37, update to a version that fixes the integer overflow vulnerability in the QuickSec IPSec toolkit. For Zyxel USG20(W)-VPN series firmware versions 4.16 through 5.37, update to a version that fixes the integer overflow vulnerability in the QuickSec IPSec toolkit. For Zyxel VPN series firmware versions 4.30 through 5.37, update to a version that fixes the integer overflow vulnerability in the QuickSec IPSec toolkit. As a temporary workaround, consider restricting access to the IKE packet handling functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1 Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 1 Zyxel USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1 Zyxel USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1 Zyxel VPN series firmware versions 4.30 through 5.36 Patch 1 Zyxel ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1 **Description** A buffer overflow vulnerability in the notification function could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. The vulnerability is related to a lack of size checking for input data, which can be exploited by a remote attacker. **Recommendations** For Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel VPN series firmware versions 4.30 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, update to a version later than 4.73 Patch 1. As a temporary workaround, consider disabling the notification function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 5.10 through 5.36 Patch 2 Zyxel USG FLEX series versions 5.00 through 5.36 Patch 2 Zyxel USG FLEX 50(W) series versions 5.10 through 5.36 Patch 2 Zyxel USG20(W)-VPN series versions 5.10 through 5.36 Patch 2 Zyxel VPN series versions 5.00 through 5.36 Patch 2 **Description** A format string vulnerability in the Zyxel firmware could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted PPPoE configuration on an affected device when the cloud management mode is enabled. The vulnerability is related to the use of uncontrolled format strings, which may allow a remote attacker to execute arbitrary commands. **Recommendations** For Zyxel ATP series versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel USG FLEX series versions 5.00 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel USG FLEX 50(W) series versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel USG20(W)-VPN series versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel VPN series versions 5.00 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. As a temporary workaround, consider disabling the cloud management mode until a patch is available. Restrict access to the PPPoE configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zyxel USG FLEX series firmware versions 5.00 through 5.36 Patch 2 Zyxel USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2 Zyxel USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2 Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2 Zyxel VPN series firmware versions 5.00 through 5.36 Patch 2 **Description** The issue is related to a command injection vulnerability in the configuration parser of the affected Zyxel devices. This vulnerability can be exploited by an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled. The exploitation occurs during an attempted `ip addr` command, and the order of operations is important for successful exploitation. It is estimated that out of approximately 7,600 devices using vulnerable firmware, around 607 were using the vulnerable configuration. **Recommendations** For Zyxel USG FLEX series firmware versions 5.00 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel VPN series firmware versions 5.00 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. As a temporary workaround, consider disabling the cloud management mode until a patch is available. Restrict access to the GRE configuration to minimize the risk of exploitation. Avoid using the `proto vti` configuration option in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 5.10 through 5.36 Zyxel USG FLEX series versions 5.00 through 5.36 Zyxel USG FLEX 50(W) series versions 5.10 through 5.36 Zyxel USG20(W)-VPN series versions 5.10 through 5.36 Zyxel VPN series versions 5.00 through 5.36 **Description** The configuration parser fails to sanitize user-controlled input in the affected Zyxel devices. An unauthenticated, LAN-based attacker could leverage this issue to inject operating system (OS) commands into the device configuration data on an affected device when the cloud management mode is enabled. **Recommendations** For Zyxel ATP series versions 5.10 through 5.36, update to a version that includes a fix for this issue. For Zyxel USG FLEX series versions 5.00 through 5.36, update to a version that includes a fix for this issue. For Zyxel USG FLEX 50(W) series versions 5.10 through 5.36, update to a version that includes a fix for this issue. For Zyxel USG20(W)-VPN series versions 5.10 through 5.36, update to a version that includes a fix for this issue. For Zyxel VPN series versions 5.00 through 5.36, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the cloud management mode until a patch is available.

**Nome do software vulnerável e versões afetadas** Versões de firmware da série Zyxel ZyWALL/USG de 4.20 a 4.72 Versões de firmware da série Zyxel VPN de 4.30 a 5.32 Versões de firmware da série Zyxel USG FLEX de 4.50 a 5.32 Versões de firmware da série Zyxel ATP 4.32 a 5.32 **Descrição** O problema está relacionado a uma vulnerabilidade de injeção de comando no comando CLI do firmware da Zyxel, que poderia permitir que um invasor autenticado com privilégios de administrador executasse comandos do sistema operacional. Isso se deve à falta de sanitização adequada de elementos especiais usados no comando do sistema operacional. A exploração dessa vulnerabilidade pode permitir que um invasor remoto execute comandos arbitrários. **Recomendações** Para as versões de firmware da série Zyxel ZyWALL/USG 4.20 a 4.72, atualize para uma versão fora desse intervalo para mitigar o risco. Para as versões de firmware da série Zyxel VPN 4.30 a 5.32, atualize para uma versão fora desse intervalo para mitigar o risco. Para as versões de firmware da série Zyxel USG FLEX de 4.50 a 5.32, atualize para uma versão fora desse intervalo para mitigar o risco. Para as versões de firmware da série Zyxel ATP de 4.32 a 5.32, atualize para uma versão fora desse intervalo para mitigar o risco. Como solução alternativa temporária, considere restringir o acesso ao comando CLI para minimizar o risco de exploração.

**Nome do software vulnerável e versões afetadas: NETGEAR R7800 versão 1.0.2.76 Descrição: Esta vulnerabilidade permite que invasores na rede adjacente executem código arbitrário nas instalações afetadas. Não é necessária autenticação para explorar esta vulnerabilidade. A falha específica está no tratamento do código de operação DHCP `vendor specific`. A vulnerabilidade resulta da falta de validação adequada de uma string fornecida pelo usuário antes de usá-la para executar uma chamada de sistema. Um invasor pode aproveitar esta vulnerabilidade para executar código no contexto do root. Recomendações: Para o NETGEAR R7800 versão 1.0.2.76, considere aplicar um patch ou atualização que corrija a validação inadequada de strings fornecidas pelo usuário no tratamento do código de operação DHCP `vendor specific`. Como solução alternativa temporária, restrinja o acesso ao serviço DHCP para minimizar o risco de exploração. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Nome do software vulnerável e versões afetadas** NETGEAR EX7000 versões anteriores à 1.0.0.64 NETGEAR EX6200 versões anteriores à 1.0.3.86 NETGEAR EX6150 versões anteriores à 1.0.0.38 Versões do NETGEAR EX6130 anteriores à 1.0.0.22 Versões do NETGEAR EX6120 anteriores à 1.0.0.40 Versões do NETGEAR EX6100 anteriores à 1.0.2.22 Versões do NETGEAR EX6000 anteriores à 1.0.0.30 Versões do NETGEAR EX3700 anteriores à 1.0.0.70 Versões do NETGEAR EX3800 anteriores à 1.0.0.70 Versões do NETGEAR R8300 anteriores à 1.0.2.94 Versões do NETGEAR R7300DST anteriores à 1.0.0.62 Versões do NETGEAR R7000P anteriores à 1.3.0.20 Versões do NETGEAR R6900P anteriores à 1.3.0.20 Versões do NETGEAR R6400 anteriores à 1.0.1.32 Versões do NETGEAR R6300v2 anteriores à 1.0.4.24 Versões do NETGEAR R8500 anteriores à 1.0.2.94 Versões do NETGEAR WNDR3400v3 anteriores à 1.0.1.18 Versões do NETGEAR WN2500RPv2 anteriores à 1.0.1.52 **Descrição** O problema está relacionado a XSS refletido, que afeta determinados dispositivos NETGEAR. **Recomendações** Atualize o EX7000 para a versão 1.0.0.64 ou posterior Atualize o EX6200 para a versão 1.0.3.86 ou posterior Atualize o EX6150 para a versão 1.0.0.38 ou posterior Atualize o EX6130 para a versão 1.0.0.22 ou posterior Atualize o EX6120 para a versão 1.0.0.40 ou posterior Atualize o EX6100 para a versão 1.0.2.22 ou posterior Atualize o EX6000 para a versão 1.0.0.30 ou posterior Atualize o EX3700 para a versão 1.0.0.70 ou posterior Atualize o EX3800 para a versão 1.0.0.70 ou posterior Atualize o R8300 para a versão 1.0.2.94 ou posterior Atualize o R7300DST para a versão 1.0.0.62 ou posterior Atualize o R7000P para a versão 1.3.0.20 ou posterior Atualize o R6900P para a versão 1.3.0.20 ou posterior Para cima