Find Vulnerable Zyxel Firewalls and VPN Devices in Your Network
Zyxel has released firmware updates for several models of their firewalls and VPN devices. This is in repose to 2 new buffer overflow vulnerabilities (CVE-2023-33009 and CVE-2023-33010) that could lead to remote code execution and denial of service. These vulnerabilities were discovered just days before reports started coming in that an earlier vulnerability (CVE-2023-28771) in the same devices is being actively exploited. Make sure to update any vulnerable devices as soon as possible. You can read more details in our Zyxel vulnerability blog.
The report below will help you find any Zyxel firewalls or VPN devices in your network that still need to be patched. Make sure to install the update as soon as possible to protect your network. Simply run the report to get a complete overview of devices that need your intervention.
These reports utilize Custom OID scanning to retrieve the firmware version. The OID in the example report below is based on certain models of the ZyWALL firewalls. It uses the custom OIDs labeled:
major version
minor version
patch number
version string
Other devices and models might require you to adjust the report with a different OID or label. You can search for the MIB file of different models on Zyxel’s download library.
Select tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tblAssets.Description,
OID.MajorVersion,
OID.MinorVersion,
OID.PatchVersion,
OID.FullVersion,
Case
When tblAssetCustom.Model Like '%ATP%' And OID.MajorVersion < 4 Or
OID.MajorVersion > 5 Then 'Up to date'
When tblAssetCustom.Model Like '%ATP%' And OID.MajorVersion = 4 And
OID.MinorVersion < 32 Then 'Up to date'
When tblAssetCustom.Model Like '%ATP%' And OID.MajorVersion = 5 And
OID.MinorVersion > 36 Then 'Up to date'
When tblAssetCustom.Model Like '%ATP%' And OID.MajorVersion = 5 And
OID.MinorVersion = 36 And OID.PatchVersion > 1 Then 'Up to date'
When (tblAssetCustom.Model Like '%USG%Flex50%' Or
tblAssetCustom.Model Like '%USG%20%W%') And OID.MajorVersion < 4 Or
OID.MajorVersion > 5 Then 'Up to date'
When (tblAssetCustom.Model Like '%USG%Flex50%' Or
tblAssetCustom.Model Like '%USG%20%W%') And OID.MajorVersion = 4
And OID.MinorVersion < 25 Then 'Up to date'
When (tblAssetCustom.Model Like '%USG%Flex50%' Or
tblAssetCustom.Model Like '%USG%20%W%') And OID.MajorVersion = 5
And OID.MinorVersion > 36 Then 'Up to date'
When (tblAssetCustom.Model Like '%USG%Flex50%' Or
tblAssetCustom.Model Like '%USG%20%W%') And OID.MajorVersion = 5
And OID.MinorVersion = 36 And OID.PatchVersion > 1 Then 'Up to date'
When tblAssetCustom.Model Like '%USG%Flex%' And OID.MajorVersion < 4 Or
OID.MajorVersion > 5 Then 'Up to date'
When tblAssetCustom.Model Like '%USG%Flex%' And OID.MajorVersion = 4 And
OID.MinorVersion < 50 Then 'Up to date'
When tblAssetCustom.Model Like '%USG%Flex%' And OID.MajorVersion = 5 And
OID.MinorVersion > 36 Then 'Up to date'
When tblAssetCustom.Model Like '%USG%Flex%' And OID.MajorVersion = 5 And
OID.MinorVersion = 36 And OID.PatchVersion > 1 Then 'Up to date'
When tblAssetCustom.Model Like '%VPN%' And OID.MajorVersion < 4 Or
OID.MajorVersion > 5 Then 'Up to date'
When tblAssetCustom.Model Like '%VPN%' And OID.MajorVersion = 4 And
OID.MinorVersion < 30 Then 'Up to date'
When tblAssetCustom.Model Like '%VPN%' And OID.MajorVersion = 5 And
OID.MinorVersion > 36 Then 'Up to date'
When tblAssetCustom.Model Like '%VPN%' And OID.MajorVersion = 5 And
OID.MinorVersion = 36 And OID.PatchVersion > 1 Then 'Up to date'
When (tblAssetCustom.Model Like '%ZyWALL%' Or
tblAssetCustom.Model Like '%USG%') And OID.MajorVersion < 4 Or
OID.MajorVersion > 5 Then 'Up to date'
When (tblAssetCustom.Model Like '%ZyWALL%' Or
tblAssetCustom.Model Like '%USG%') And OID.MajorVersion = 4 And
OID.MinorVersion < 25 Then 'Up to date'
When (tblAssetCustom.Model Like '%ZyWALL%' Or
tblAssetCustom.Model Like '%USG%') And OID.MajorVersion = 4 And
OID.MinorVersion > 73 Then 'Up to date'
When (tblAssetCustom.Model Like '%ZyWALL%' Or
tblAssetCustom.Model Like '%USG%') And OID.MajorVersion = 4 And
OID.MinorVersion = 73 And OID.PatchVersion > 1 Then 'Up to date'
When OID.MajorVersion Is Null Or OID.MinorVersion Is Null Or
OID.PatchVersion Is Null Then 'No Data'
Else 'Up to date'
End As [Patch Status],
Case
When tblAssetCustom.Model Like '%ATP%' Then 'ZLD V5.36 Patch 2'
When (tblAssetCustom.Model Like '%USG%Flex50%' Or
tblAssetCustom.Model Like '%USG%20%W%') Then 'ZLD V5.36 Patch 2'
When tblAssetCustom.Model Like '%USG%Flex%' Then 'ZLD V5.36 Patch 2'
When tblAssetCustom.Model Like '%VPN%' Then 'ZLD V5.36 Patch 2'
When (tblAssetCustom.Model Like '%ZyWALL%' Or
tblAssetCustom.Model Like '%USG%') Then 'ZLD V4.73 Patch 2'
End As [Required Patch],
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join (Select tblOIDData.AssetID,
Max(Case
When tblOIDData.Label Like '%major version%' Then
Cast(tblOIDData.Data As nvarchar(max))
End) As MajorVersion,
Max(Case
When tblOIDData.Label Like '%minor version%' Then
Cast(tblOIDData.Data As nvarchar(max))
End) As MinorVersion,
Max(Case
When tblOIDData.Label Like '%patch number%' Then
Cast(tblOIDData.Data As nvarchar(max))
End) As PatchVersion,
Max(Case
When tblOIDData.Label Like '%version string%' Then
Cast(tblOIDData.Data As nvarchar(max))
End) As FullVersion
From tblOIDData
Where tblOIDData.Data Not Like '%data%'
Group By tblOIDData.AssetID) As OID On OID.AssetID = tblAssets.AssetID
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblAssetCustom.Manufacturer Like '%Zyxel%' And
(tblAssetCustom.Model Like '%ATP%' Or tblAssetCustom.Model Like '%USG%' Or
tblAssetCustom.Model Like '%VPN%' Or tblAssetCustom.Model Like '%ZyWALL%')
And tblState.Statename = 'Active'
Group By tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tblAssets.Description,
tblErrors.ErrorText,
tsysasseterrortypes.ErrorMsg,
tblAssets.Lastseen,
tblAssets.Lasttried,
OID.MajorVersion,
OID.MinorVersion,
OID.PatchVersion,
OID.FullVersion
Order By tblAssetCustom.Model,
tblAssets.IPAddress