Zyxel Vulnerability CVE-2023-28771: A Threat to Your Network
Improper error message handling in Zyxel ZyWALL/USG series firmware version 4.60 through 4.73. VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS command remotely by sending crafted packets to an affected device.
While reviewing the log of DDoS Botnets Target Zyxel Vulnerability CVE-2023-28771 attempt, analyzed the payload and some identification and understanding their phases which I mentioned below.
Log
<XXX>date=XXXX-XX-XX time=XX:XX:XX devname="xxx-xx-xx" devid="XX-xxx-xxx" logid="*****" type="traffic" subtype="local" level="notice" vd="root" eventtime=***** srcip=109.207.200.47 srcport=500 srcintf="wan2" srcintfrole="wan" dstip=X.X.X.X dstport=500 dstintf=unknown-0 dstintfrole="undefined" sessionid=**** proto=17 action="accept" policyid=0 policytype="local-in-policy" service="IKE" dstcountry="India" srccountry="Ukraine" trandisp="noop" app="IPSec" duration=60 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
In the above log parameters are highlighted in blue text.
Technical analysis:
In the above log shows that the attacker connected to the firewall from the IP address 109.207.200.47 on port 500. The firewall accepted the connection and the attacker attempted to establish an IKE (Internet Key Exchange) session. The session was not successful, but the attempt to exploit the vulnerability was still logged.
After researching and understanding the Zyxel vulnerability understood that the Source IP is one of IOC which originates the DDos Botent Zyxel vulnerability CVE-2023-28771 attack.
The Zyxel vulnerability arises from improper error message handling, and can be triggered by sending a specially crafted UDP packet to port 500 in vulnerable devices WAN interface, allowing attackers to achieve OS command execution as the root user.
The vulnerability is easy to weaponize and successfully exploitation does not hinge on prior authentication.
"The vulnerable component is the Internet Key Exchange (IKE) packet decoder, which forms part of the IPSec VPN service offered by the device," Rapid7 researchers said, but pointed out that a VPN does not need to be configured on the device for the device to be vulnerable.
The above content is reffer from the given source: https://www.helpnetsecurity.com/2023/05/22/cve-2023-28771/
The exploit is available at here.
A Threat to Your Network - Phases of exploiting CVE-2023-28771:
The first phase is to identify the vulnerable devices. This can be done by scanning the network for devices that are running affected firmware versions. Once the vulnerable devices have been identified, the next phase is to gather information about them. This includes information such as the IP address, hostname and firmware version.
The third phase is to create a malformed IKE packet. This packet will need to be malformed in a specific way in order to trigger the command injection vulnerability. The exact contents of the malformed IKE packet will depend on the commands that the attacker want to execute.
The fourth phase is to send the malformed IKE packet to the vulnerable device. Once the packet is sent, the firewall will execute the arbitrary commands that are contained in the packet.
The final phase is to verify that the exploit was successful. This can be done by checking the firewall logs or by running commands on the firewall.
Here is a breakdown of the phases in more details:
- Phase 1: Identification
- Identify the vulnerable devices by scanning the network for devices that are running affected firmware versions.
- Phase 2: Gathering information
- Gather information about the vulnerable devices, such as the IP address, hostname, and firmware version.
- Phase 3: Creating the malformed IKE packet
- Create a malformed IKE packet that is malformed in a specific way in order to trigger the command injection vulnerability.
- Phase 4: Sending the malformed IKE packet
- Send the malformed IKE packet to the vulnerable device.
- Phase 5: Verifying the exploit
- Verify that the exploit was successful by checking the firewall logs or by running command on the firewall.
The following ZyWALL/USG series firewalls are affected by the vulnerability:
- ZyWALL USG 100
- ZyWALL USG 200
- ZyWALL USG 300
- ZyWALL USG FLEX
- ZyWALL ATP
Zyxel has released firmware updates that address the vulnerability. Users of affected products are advised to update their firmware as soon as possible.
The CVE-2023-28771 vulnerability is a serious threat to Zyxel users. Users of affected products are advised to update their firmware as soon as possible and take other steps to protect their networks.
Additional Resources:
Comments
Post a Comment