Zyxel Firewall Vulnerabilities Reveal the Complexity of the IT Infrastructure Supply Chain

Recently SektorCERT (previously EnergiCERT) published a report on what they state is the largest known cyber attack against Danish critical infrastructure. Digging through the report it appears that an unauthenticated remotely exploitable vulnerability in Zyxel firewalls (CVE-2023-28771) was leveraged to gain the initial foothold. 

This particular vulnerability was externally reported to Zyxel in April 2023 by an independent third party. The vulnerable service was software implementing IPSec and exploited over UDP port 500 using a “specially crafted” IKEv2 packet. Rapid7 reverse-engineered the patch and provided details

Digging Into The Supply Chain

I reviewed Rapid7’s analysis of the vulnerability as they went through the trouble of reverse engineering the patch. The vulnerability lies in the binary included in the Zyxel firmware called “sshipsecpm”. Many years ago I implemented a few different IPSec-based VPNs for organizations I worked for at the time. IPSec is a complex suite of protocols and something (in my opinion) you would not want to write your own implementation, but instead rely on a third party and perhaps license this functionality (or rely on an open-source implementation). In either case, the supply chain vulnerabilities in this library or service could trickle down and, if left unchecked, pose a threat to the entire system and all customers.

I looked up details on the “sshipsecpm” binary, essentially just Google searching for its name. While not many results were present, there are references to third parties that may be responsible for distributing this software. Some examples are listed below:

DFL-1660:/> about

D-Link Firewall
Copyright Clavister 1996-2011. All rights reserved
QuickSec SSHIPSECPM version 2.1 library 2.1
Copyright 1997-2003 SafeNet Inc
Build: May 12 2011


gateway:Clavister SG 51
ver: CorePlus
QuickSec SSHIPSECPM version 2.1 library 2.1
Copyright 1997-2003 SafeNet Inc
Build : Feb 4 2010


It appears as though the software is called “Quicksec SSHIPSECPM” and is likely included with both D-Link (a name you likely recognize) and Clavister firewalls (a name you may not recognize as Clavister is a Swedish vendor who sells firewalls and other security appliances). A quick search on “Safenet” shows that this company was sold a couple of times and is now owned by Thales. It is difficult to determine exactly where the software came from, but evidence points to Zyxel deciding not to implement its own IPSec stack.

Potential Impact

While the vulnerability in question was disclosed by Zyxel and the patches provided, the story goes a bit deeper and points to a supply chain issue. This particular IPSec software, and its associated vulnerability, seems to be present in other products although the threat could have been mitigated in other implementations. 

Generally, there is less attention paid to third-party software products, especially for IT infrastructure devices such as firewalls. We tend to trust our vendors to develop products securely. But as this example of the Zyxel firewall shows, attackers do pay attention and take advantage of the complexities of our IT infrastructure supply chain.

Eclypsium provides organizations with supply chain intelligence so that they can assess the risk of IT products—even before bringing them on board. We’ve already done the deep analysis of hardware, firmware, and software components so that you can evaluate risk before purchase, or understand what risk you have present in your environment. In addition, our supply chain security platform helps you to continuously monitor and remediate these threats in your production assets, including for network devices such as firewalls, ADCs, and VPNs. 

Further Reading