Zyxel USG < 5.36 / ATP < 5.36 / VPN < 5.36 / ZyWALL < 4.73 Patch 1 (RCE) (CVE-2023-28771)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(176216);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/06/12");

  script_cve_id("CVE-2023-28771");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/06/21");

  script_name(english:"Zyxel USG < 5.36 / ATP < 5.36 / VPN < 5.36 / ZyWALL < 4.73 Patch 1 (RCE) (CVE-2023-28771)");

  script_set_attribute(attribute:"synopsis", value:
"The remote security gateway is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"Firmware version of the Zyxel USG, ATP, or VPN is less than 5.36 or the version of Zyxel ZyWall is less 
than 4.73 Patch 1. This Zyxel device firmware contains improper error message handling logic which could
allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an 
affected device.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3bab8fe5");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Zyxel USG / ATP / VPN to 5.36 or upgrade ZyWALL < 4.73 Patch 1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-28771");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/04/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/04/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/05/22");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:zyxel:usg_flex");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Firewalls");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("zyxel_usg_web_detect.nbin", "zyxel_usg_detect.nbin");
  script_require_keys("installed_sw/Zyxel Unified Security Gateway (USG)");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include('vcf.inc');

var app = 'Zyxel Unified Security Gateway (USG)';


var app_info = vcf::combined_get_app_info(app:app);

var model = app_info['Model'];
var constraints = [];

if(empty_or_null(model))
  audit(AUDIT_OS_CONF_UNKNOWN, 'Zyxel device');

if ('ATP' >< model || 'USG' >< model || 'VPN' >< model )
  constraints = [{ 'fixed_version' : '5.36' }];
else if ('ZyWALL' >< model)
  if (report_paranoia < 2) audit(AUDIT_PARANOID);
  else constraints = [{ 'min_version': '4.60', 'fixed_version' : '4.73.01' , 'fixed_display' : '4.73 Patch 1' }]; # note 4.73.01 is artifical, the patch is not released yet & we don't know the precise version
else
  audit(AUDIT_NOT_INST, 'Zyxel USG / ATP / VPN / ZyWALL Device');

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);