Exploit
CVE-2023-33010

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)

Published: May 24, 2023 / Updated: 18mo ago

010
CVSS 9.8EPSS 2.24%Critical
CVE info copied to clipboard

A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2023-33010. See article

May 24, 2023 at 12:30 PM / cve.report
Exploitation in the Wild

Attacks in the wild have been reported by CISA Known Exploited Vulnerability.

Jun 5, 2023 at 11:00 AM / CISA Known Exploited Vulnerability
Threat Intelligence Report

CVE-2023-33010 is a critical buffer overflow vulnerability affecting Zyxel firewalls, listed in the CISA Known Exploited Vulnerabilities catalog. It can be exploited by attackers without authentication, leading to denial-of-service attacks and remote code execution. Organizations should prioritize patching and follow Zyxel's guidance to mitigate the risk of exploitation and potential downstream impacts on third-party vendors. See article

Jun 13, 2023 at 9:23 AM
EPSS

EPSS Score was set to: 2.24% (Percentile: 88.2%)

Sep 16, 2023 at 9:12 AM
Exploitation in the Wild

Attacks in the wild have been reported by Risky Business News. See article

Nov 15, 2023 at 5:33 AM / Risky Business News
Exploitation in the Wild

Attacks in the wild have been reported by Black Hat Ethical Hacking. See article

Nov 16, 2023 at 9:18 AM / Black Hat Ethical Hacking
Attribution of Exploits

The vulnerability is known to be exploited by Sandworm. See article

Nov 16, 2023 at 2:01 PM / Infosecurity
Exploitation in the Wild

Attacks in the wild have been reported by Infosecurity Magazine. See article

Nov 21, 2023 at 9:47 AM / Infosecurity Magazine
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731230)

Mar 7, 2024 at 12:00 AM
Static CVE Timeline Graph

Affected Systems

Id/id-software
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Patches

www.zyxel.com
+null more

Links to Malware Families

Mirai
+null more

Links to Threat Actors

Sandworm
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

References

The attack against Danish, critical infrastructure [pdf]
to detect cyber attacks against Danish critical infrastructure. Without SektorCERT?s sensor network to detect the attacks, our skille\
How to Analyze Windows Executable Files Using PEStudio?
PEStudio is a popular tool used by malware analysts and reverse engineers to analyze and detect anomalies in Windows portable executable (PE) files like EXEs and DLLs. This comprehensive guide will explain what PEStudio is, how to download and install it, overview its key features, and provide a step-by-step walkthrough to investigate Windows executable files using PEStudio. Section Table – Contains details on each section like name, virtual address, raw data size, file pointer, permissions, etc.
Rewterz Threat Advisory – ICS: Delta Electronics CNCSoft-B DOPSoft Vulnerability
Delta Electronics CNCSoft-B DOPSoft is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. Delta Electronics CNCSoft-B DOPSoft 1.0.0.4
See 9 more references

News

New assessment for topic: CVE-2023-33010 Topic description: "A buffer overflow vulnerabilit...
New assessment for topic: CVE-2023-33010 Topic description: "A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. ..." "A July 2024 bulletin from multiple U.S ..." Link: https://attackerkb.com/assessments/77f196ee-1ff3-4fa0-90ca-4d8e0ecf55db
Andariel: North Korean APT Group Targets Military and Nuclear Programs
The North Korean APT group utilizes a range of tactics, including spear phishing and vulnerability exploitation against web servers to infiltrate targeted organizations. Andariel Threat Group Campaign Backdoor Malware Email Threat
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
The actors deploy and leverage custom malware implants, remote access tools (RATs), and open source tooling for execution, lateral movement, and data exfiltration. The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections.
“North Korean Cyber Group Launches Global Espionage to Boost Military and Nuclear Programs | CISA”
The actors deploy and leverage custom malware implants, remote access tools (RATs), and open source tooling for execution, lateral movement, and data exfiltration. The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections.
MIL-OSI Security: North Korea Cyber Group Conducts Global Espionage Campaign to ...
The actors deploy and leverage custom malware implants, remote access tools (RATs), and open source tooling for execution, lateral movement, and data exfiltration. The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections.
See 265 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI