Zyxel warns about new critical vulnerabilities found in its NAS devices

Alfonso Maruccia

Posts: 1,001   +301
In brief: Zyxel is a Taiwanese manufacturer better known for mobile and broadband network products and some NAS devices for network-based storage access. Two of those NAS products are affected by six dangerous vulnerabilities, for which the company already provided a security update.

Zyxel has recently released a new security advisory for a bunch of security vulnerabilities discovered in the company's NAS devices. The six flaws could be abused to bypass authentication protocols and inject malicious commands in the NAS OS, Zyxel has warned. Users are advised to install the already available security patches for "optimal protection" in their network storage setups.

The newly-discovered vulnerabilities, which include three critical flaws with very high severity scores, are described in the following CVE-tracked bulletins: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474. The first flaw (CVE-2023-35137) has a severity score of 7.5 and pertains to an improper authentication in the Zyxel NAS devices that could allow an unauthenticated attacker to obtain system information with a specifically crafted URL.

The second flaw (CVE-2023-35138) is a critical vulnerability (9.8 severity score) in the "show_zysync_server_contents" function, Zyxel explains, which could provide hackers with a way to execute "some" OS commands by sending a specific HTTP POST request. The third flaw (CVE-2023-37927) is a high-severity bug (8.8) with improper neutralization of special elements in the CGI program, which could allow attackers to execute OS commands by sending a crafted URL.

The fourth flaw (CVE-2023-37928) is a post-authentication command injection vulnerability (8.8) in the WSGI server, which could once again open an OS command execution opportunity through a malicious URL. The fifth flaw (CVE-2023-4473) is a critical bug (9.8) in Zyxel NAS' web server that could be exploited the same way. Finally, the sixth flaw (CVE-2023-4474) is yet another critical issue (9.8) arising from the improper neutralization of special elements in the WSGI server.

Zyxel acknowledged the work done by three researchers (Maxim Suslov, Gábor Selján, Drew Balfour) in discovering the security flaws. The company conducted a "thorough investigation" to identify the supported devices affected by the flaws, which include the NAS326 and NAS542 network storage models.

The Taiwanese manufacturer didn't provide any possible mitigation measures or workaround to shield the devices against the new flaws. To keep their data safe from cyber-criminals, customers need to install the following firmware updates: V5.21(AAZF.15)C0 for NAS326, V5.21(ABAG.12)C0 for NAS542.

Permalink to story.


Why can't they use a form of Linux followed with a opensource and up to date NAS manager?

injections through HTTP is really old and it means there's zero checks done to what is submitted through that web application. At least some sort of firewall would help units like that.