The issue received a CVSSv3 score of 8.2, qualifying it as high severity; a security patch is now available
The CVE-2022-43393 vulnerability discovered by Nikita Abramov, a researcher at Positive Technologies, affected dozens of Zyxel switch models and posed a serious risk for business processes of many organizations. The manufacturer has now remediated the vulnerability by releasing patches for all affected switches.
By sending a specially crafted HTTP request, an attacker was able to remotely corrupt the contents of the device’s memory, causing denial of service.
"In practical terms, this type of vulnerability is less interesting to attackers than arbitrary code execution. However, exploitation of this vulnerability can disrupt business processes or knock out critical infrastructure elements. This could lead to additional costs and risks. In a worst case scenario, this type of attack could trigger a non-tolerable event, jeopardizing the company’s operations," commented Nikita Abramov, Application Analysis Expert at Positive Technologies.
Some of the potentially vulnerable switches are utilized in complex network infrastructures of large companies or in converged networks.1 Other devices are also used by relatively small organizations that need centralized management and configuration of flexible scenarios.
A total of 47 different models were affected by this flaw. At the time when the security advisory was issued, vulnerable switches were located in Taiwan (12.8%), France (11.9%), Thailand (9.1%), South Korea (7.7%), Italy (7.6%), U.S. (5.5%), and Russia (0.5%).
According to the researcher, such vulnerabilities are usually caused by inattentive coding.
Following the responsible disclosure policy, the researcher reported the vulnerability to the manufacturer, and Zyxel addressed the issue. Users are recommended to install patches specified in the security advisory.
- Converged network infrastructure makes it possible to integrate network resources, servers, and storage systems, and to administer them as a single system.