Zyxel alerts about several critical weaknesses in NAS devices

Zyxel has resolved numerous security problems, including three crucial ones that could permit an unauthenticated attacker to run operating system commands on susceptible network-attached storage (NAS) devices.

Nov 30, 2023 - 15:00
  Source
 0  58
Zyxel alerts about several critical weaknesses in NAS devices

Network storage provider Zyxel has released updates to patch several severe security vulnerabilities in its network-attached storage (NAS) devices, including three critical flaws that could allow unauthenticated attackers to execute commands.

Zyxel NAS devices are commonly used for centralized data storage, particularly by small to medium-sized businesses, IT professionals, and digital content creators. The devices offer features like data backup, media streaming, and data sharing.

The vulnerabilities, affecting NAS326 and NAS542 models, include:

  1. CVE-2023-35137: A high-severity improper authentication issue in the authentication module of Zyxel NAS devices. This flaw allows unauthenticated attackers to obtain system information via a specifically crafted URL.

  2. CVE-2023-35138: A critical command injection flaw in the "show_zysync_server_contents" function of Zyxel NAS devices. Unauthenticated attackers can execute operating system commands via a crafted HTTP POST request.

  3. CVE-2023-37927: A vulnerability in the CGI program of Zyxel NAS devices, which lets authenticated attackers execute OS commands using a specially crafted URL.

  4. CVE-2023-37928: A post-authentication command injection issue in Zyxel NAS devices' WSGI server. This allows authenticated attackers to execute OS commands via a crafted URL.

  5. CVE-2023-4473: A critical command injection flaw in the web server of Zyxel NAS devices, enabling unauthenticated attackers to execute OS commands through a crafted URL.

  6. CVE-2023-4474: Another critical vulnerability in the WSGI server of Zyxel NAS devices, allowing unauthenticated attackers to execute OS commands using a crafted URL.

These vulnerabilities pose significant risks, such as unauthorized access, execution of operating system commands, obtaining sensitive information, or full control over the affected devices.

Zyxel recommends users of the NAS326 model to update to version V5.21(AAZF.15)C0 or later, and those using the NAS542 model to upgrade to firmware version V5.21(ABAG.12)C0 or later. These updates resolve the aforementioned security issues. The company hasn’t provided any specific mitigation advice or workarounds other than the firmware update.