CVE-2023-35136: 
NixOS vulnerability analysis and mitigation

An improper input validation vulnerability identified as CVE-2023-35136 was discovered in the "Quagga" package of multiple Zyxel firewall series. The vulnerability affects ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37. The vulnerability was discovered by Lê Hữu Quang Linh from STAR Labs SG (Zyxel Advisory).

The vulnerability is classified as an improper input validation issue (CWE-20) in the Quagga package of affected Zyxel firewall devices. It has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access is required, low attack complexity, low privileges required, no user interaction needed, and the potential for high confidentiality impact (NVD).

If successfully exploited, this vulnerability could allow an authenticated local attacker to access configuration files on an affected device (Zyxel Advisory).

Zyxel has released patches to address this vulnerability. Users of affected devices are advised to upgrade to ZLD V5.37 Patch 1. This patch is available for all affected firewall series including ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, and VPN series (Zyxel Advisory).