Zyxel warns of critical security vulnerabilities in NAS devices

Sicherheit (Pexels, allgemeine Nutzung)[German]Does anyone operate a Zyxel NAS in their environment? The Taiwanese manufacturer has just warned of several vulnerabilities in the firmware of these devices. Three critical vulnerabilities allow an unauthenticated attacker to execute operating system commands on vulnerable network-attached storage (NAS) devices. Firmware updates for the affected devices are available to close these vulnerabilities.


Advertising

I have no idea whether Zyxel NAS systems are used by the readership for backups in the network or for data backup, media streaming etc.. With older firmware, however, the devices are susceptible to attacks, especially if the NAS units are accessible via the Internet. Zyxel has listed the following vulnerabilities in this security advisory as of November 30, 2023, and closed them with firmware updates:

  • CVE-2023-35137: An improper authentication vulnerability in the authentication module of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to obtain system information by sending a crafted URL to a vulnerable device.
  • CVE-2023-35138: A command injection vulnerability in the "show_zysync_server_contents" function in Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
  • CVE-2023-37927: The improper neutralization of special elements in the CGI program in Zyxel NAS devices could allow an authenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.
  • CVE-2023-37928: A post-authentication command injection vulnerability in the WSGI server in Zyxel NAS devices could allow an authenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.
  • CVE-2023-4473: A command injection vulnerability in the web server in Zyxel NAS devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.
  • CVE-2023-4474: The improper neutralization of special elements in the WSGI server in Zyxel NAS devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

The affected Zyxel firmware versions are listed in the linked CVEs.

  • NAS326 mit Firmware V5.21(AAZF.14)C0 und früher – and earlier – patch version V5.21(AAZF.15)C0
  • NAS542 mit Firmware V5.21(ABAG.11)C0 and earlier – patch version V5.21(ABAG.12)C0

The colleagues from Bleeping Computer pointed out the topic in this article and provide some more information.

Zyxcel vulnerabilities

Addendum: The people who has discovered some of the vulnerabilities has contacted me afterward and pointed out, that they have published more details here and here.


Advertising


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in devices, Security, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *