Note: It´s recommended before you apply the hotfix or release version, please reboot the device once to reduce the risk of a watchdog reboot during a firmware upgrade and potential RMA risk.
If you are already affected, jump to our FAQ section for further Troubleshooting Tips!
We have been notified of several VPN connection-related issues and network interruptions reported to us currently. In response to this issue, we have expedited the development of an urgent hotfix firmware available since 5/23 and applicable to all models, which is intended to address and promptly rectify the situation. Since 5/24 Zyxel has released official patches for firewalls affected by multiple buffer overflow vulnerabilities. Users are advised to install them for optimal protection.
Check out CVE on our Global Webpage
CVE-2023-33009
A buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
CVE-2023-33010
A buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even a remote code execution on an affected device.
Acknowledgment
Thanks to the following security consultancies:
- Lays and atdog from TRAPA Security, followed by
- STAR Labs SG
Need a complete package for all models?
Download here for all devices in one step! (3GB)
You also can use Cloud Firmware upgrade and install 5.36 Patch 2 or 4.73 Patch 2 instead of the hotfix version! How to upgrade USG devices via cloud-service
Note: If you are already affected, we recommend upgrading the firmware On-Site and unplugging the WAN uplink followed by a reboot as the easiest and most secure way, if you need to do it remotely, please follow the steps below the firmware table.
Model | Firmware Hotfix |
Legacy Devices (4.73 Patch 1 based+includes all latest Weekly fixes) | |
USG40 | Download Hotfix |
USG40W | Download Hotfix |
USG60 | Download Hotfix |
USG60W | Download Hotfix |
USG110 | Download Hotfix |
USG210 | Download Hotfix |
USG310 | Download Hotfix |
USG1100 | Download Hotfix |
USG1900 | Download Hotfix |
USG2200 | Download Hotfix |
ZyWALL110 | Download Hotfix |
ZyWALL310 | Download Hotfix |
ZyWALL1100 | Download Hotfix |
On-Premise Devices (5.36 Patch 1 based+includes all latest Weekly fixes) | |
USG FLEX 50 / USG20-VPN | Download Hotfix |
USG FLEX 50W / USG20W-VPN | Download Hotfix |
USG FLEX 100 | Download Hotfix |
USG FLEX 100W | Download Hotfix |
USG FLEX 200 | Download Hotfix |
USG FLEX 500 | Download Hotfix |
USG FLEX 700 | Download Hotfix |
VPN50 | Download Hotfix |
VPN100 | Download Hotfix |
VPN300 | Download Hotfix |
VPN1000 | Download Hotfix |
ATP100 | Download Hotfix |
ATP100W | Download Hotfix |
ATP200 | Download Hotfix |
ATP500 | Download Hotfix |
ATP700 | Download Hotfix |
ATP800 | Download Hotfix |
EOL Legacy devices (3.30) are not affected |
FAQ Section
Which issues show up in my network or on my firewall if I am already affected?
- The GUI may not let you log in to Admin Interface (ZySH Daemon busy)
- VPN can have unstable scenarios (traffic passthrough or Tunnel often rebuild with less uptime)
- The device may reboot if the watchdog recovered the daemon to often
- Devices show high CPU usage (90% or higher)
Which firmware version do I need to be safe?
- Please install the latest firmware 5.36 Patch 2 or our hotfix in the table above
What if I can´t log in to the device or only sometimes?
- You can try reboot the device first, then apply the firmware
- Remove temporary Port "IKE500" from WAN to ZyWALL group (Object > Address)
- Create a temporary firewall rule "WAN to ZyWALL" Service: IKE500 (UDP) > Block
In case you are on-site you can also remove the WAN uplink for the time being and proceed with the upgrade locally. You can try this also remotely by getting assistance removing the WAN uplink on-site and performing an upgrade via Teamviewer i.e. "Hotspot from Smartphone".
These steps should help to stabilize the device, to upgrade the firmware to a protected version.
My VPN is still unstable after I upgrade the device, what can I do?
It´s important to upgrade the Server and Client sites (for Site-to-Site VPN) only if both sites are upgraded, the protection will be successful.
Do I still need to upgrade to 5.36 Patch 2 or 4.73 Patch 2 if I apply the hotfix?
No, the version will be similar, so no further upgrade is needed.
Is my Nebula-managed device also affected?
Yes, updates for Nebula are available now and the firewall can be updated through Nebula Control Center
Nebula CC - Upgrading a Device Firmware [Firmware Management]
I want to install the firmware, but the progress stays on 100% after upload, or the device does not reboot, what can I do?
This can happen if you are on an older firmware version for example 5.30 and are affected by previously released fixes for other prevention, please be in touch with Support to get further assistance.#
Is there another way to upgrade Firmware if going not working?
You can try to upgrade Firmware through FTP. USG & Zywall - Firmware update per FTP
If you have any future questions, just comment on this article and we´ll be in touch with you shortly.
Or be in touch with the Support Team!
Comments
0 comments
Please sign in to leave a comment.