The Information Highway

The Information Highway

Font size: +
2 minutes reading time (371 words)

Zyxel warns of multiple critical vulnerabilities in NAS devices

Zyxel has addressed multiple security issues, including three critical ones that could allow an unauthenticated attacker to execute operating system commands on vulnerable network-attached storage (NAS) devices. 

Zyxel NAS systems are used for storing data in a centralized location on the network. They are designed for high volumes of data and offer features like data backup, media streaming, or customized sharing options.

Typical Zyxel NAS users include small to medium-sized businesses seeking a solution that combines data management, remote work, and collaboration features, as well as IT professionals setting up data redundancy systems, or videographers and digital artists working with large files.

In a security bulletin today, the vendor warns of the following flaws impacting NAS326 devices running version 5.21(AAZF.14)C0 and earlier, and NAS542 with version 5.21(ABAG.11)C0 and earlier.

  • CVE-2023-35137: Improper authentication vulnerability in Zyxel NAS devices' authentication module, allowing unauthenticated attackers to obtain system information via a crafted URL. (high-severity score of 7.5)
  • CVE-2023-35138: Command injection flaw in the "show_zysync_server_contents" function in Zyxel NAS devices, permitting unauthenticated attackers to execute OS commands through a crafted HTTP POST request. (critical-severity score of 9.8)
  • CVE-2023-37927: Vulnerability in Zyxel NAS devices' CGI program, enabling authenticated attackers to execute OS commands with a crafted URL. (high-severity score of 8.8)
  • CVE-2023-37928: Post-authentication command injection in Zyxel NAS devices' WSGI server, allowing authenticated attackers to execute OS commands via a crafted URL. (high-severity score of 8.8)
  • CVE-2023-4473: Command injection flaw in the web server of Zyxel NAS devices, permitting unauthenticated attackers to execute OS commands through a crafted URL. (critical-severity score of 9.8)
  • CVE-2023-4474: Vulnerability in the WSGI server of Zyxel NAS devices, allowing unauthenticated attackers to execute OS commands with a crafted URL. (critical-severity score of 9.8)

Threat actors could exploit the vulnerabilities above to gain unauthorized access, execute some operating system commands, obtain sensitive system information, or to take complete control of the affected Zyxel NAS devices.

To address these risks, users of NAS326 are recommended to upgrade to version V5.21(AAZF.15)C0 or later. Users of NAS542 should upgrade their firmware to V5.21(ABAG.12)C0 or later, which fix the above flaws.

The vendor has provided no mitigation advice or workarounds, a firmware update being the recommended action. 

LogoFAIL attack can install UEFI bootkits through ...
Dollar Tree hit by third-party data breach impacti...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023