CVE-2024-42057: 
NixOS vulnerability analysis and mitigation

A command injection vulnerability (CVE-2024-42057) was discovered in the IPSec VPN feature of Zyxel firewalls. The vulnerability affects multiple Zyxel device series including ATP series (firmware V4.32-V5.38), USG FLEX series (V4.50-V5.38), USG FLEX 50(W) series (V4.16-V5.38), and USG20(W)-VPN series (V4.16-V5.38). This vulnerability was discovered by nella17 from DEVCORE and was disclosed in September 2024 (Vendor Advisory).

The vulnerability is classified as an OS Command Injection flaw (CWE-78) that allows an unauthenticated attacker to execute operating system commands on affected devices by sending a crafted username to the vulnerable device. The vulnerability has received a CVSS v3.1 base score of 8.1 (HIGH), with the vector string AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The exploitation requires specific conditions: the device must be configured in User-Based-PSK authentication mode, and a valid user with a username exceeding 28 characters must exist on the system (NVD, Hacker News).

If successfully exploited, this vulnerability allows attackers to execute arbitrary OS commands on the affected device, potentially leading to complete system compromise. The high severity score reflects the significant impact on confidentiality, integrity, and availability of the affected systems (Hacker News).

Zyxel has released firmware version V5.39 to address this vulnerability. Users of affected devices are strongly advised to upgrade to the latest firmware version. The affected product lines and their corresponding patch versions have been detailed in Zyxel's security advisory (Vendor Advisory).