- Zultys
- Zultys MX-SE
- Zultys MX-SE II
- Zultys MX-E
- Zultys MX-Virtual
- Zultys MX250
- Zultys MX30
Zultys MX devices are vulnerable to a multiple vulnerabilities when processing remote input leading to authentication bypass, post-authentication OS command injection, and post-authentication SQL injection.
Firmware upgrades and patches are available:
- Firmware 17.0.10 - Install patch 17161 (or later replacement) via Patch Manager
- Firmware 17.0.6 - Upgrade to 17.0.10 and install patch 17161 (or later replacement) via Patch Manager
- Firmware 16.0.4 - Install patch 16109 (or later replacement) via Patch Manager
- Firmware 16.0.2 - Upgrade to a supported release (16.0.4 or 17.0.10) and patch
- Firmware 15.0.x and earlier - Upgrade to a supported (16.0.4 or 17.0.10) and patch
If upgrading or patching is not immediately possible:
- Deny access to the relevant services from untrusted IP addresses using the MX 'Service Protection - Source Based Firewall' feature where available (Release 14.0.4+) or block access to the relevant ports from untrusted IP addresses using an external firewall.
- Firmware 16.0.x and 17.0.x - Block port 443
- All versions - Block ports 7117, 7134, and 7505
This issue was found by Stephen Breen of Atredis Partners.
- https://www.zultys.com/security-advisories/san23-001/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43742
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43743
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43744
- 2023-08-03 - Atredis made contact with the vendor and sent an initial draft report.
- 2023-08-07 - Zultys confirms receipt of the advisory
- 2023-10-05 - Zultys releases patches
- 2023-10-13 - Zultys updates patch numbers (patch 17159 replaced by 17161. Patch 16107 replaced by 16109)
- 2023-11-15 - Atredis Partners publishes advisory ATREDIS-2023-0002
In normal operation, the Zultys MX Administrator Windows client connects to port 7505 and attempts authentication, submitting the administrator username and password to the server. Upon authentication failure, the server sends a login failure message prompting the client to disconnect. However, if the client ignores the failure message instead and attempts to continue, the server does not forcibly close the connection and processes all subsequent requests from the client as if authentication had been successful.
A filter parameter used for /newapi/ requests in the Zultys MX web interface is vulnerable to authenticated SQL injection. Exploitation results in execution of arbitrary SQL on the backend database.
The Zultys MX Administrator client has a "Patch Manager" section that allows administrators to apply patches to the device. The user supplied filename for the patch file is passed to a shell script without validation. Including bash command substitution characters in a patch file name results in execution of the provided command.