Taiwanese manufacturer of network devices, NAS (Network Attached Storage) and many other devices Zyxel informed customers about the discovery of a number of vulnerabilities in two NAS models. A total of six dangerous vulnerabilities were discovered that could allow network storage to be hacked. The manufacturer has already released firmware updates with security fixes.
Some time ago, Zyxel published a new security advisory regarding identified vulnerabilities in NAS devices. Six fools can be used by attackers to bypass authentication protocols and inject malicious commands into the storage operating system (OS). Users are strongly recommended to install security patches that are already available to “reliably protect” their data.
The newly discovered vulnerabilities, which include three critical issues with very high severity ratings, are described in the following tracked CVE bulletins: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474.
- The first vulnerability, CVE-2023-35137, received a severity score of 7.5 and is related to false authentication on Zyxel NAS servers. False authentication could allow an unauthenticated attacker to obtain system information via a specially crafted URL.
- The second issue (CVE-2023-35138) is a critical vulnerability with a severity of 9.8 in the show_zysync_server_contents function. According to Zyxel specialists’ explanations, this vulnerability may give a hacker the opportunity to execute some operating system commands by sending a specific POST request via HTTP.
- The third vulnerability (CVE-2023-37927) has a severity of 8.8 points. This is related to the improper neutralization of special elements in the CGI (Common Gateway Interface) program that allow an attacker to execute operating system commands by sending a spoofed URL.
- The fourth vulnerability (CVE-2023-37928) is a vulnerability with a score of 8.8 that allows command injection after authentication in a Web Server Gateway Interface (WSGI) server, which in turn may open the possibility of exposing operating system commands via a to execute malicious URL.
- The fifth vulnerability (CVE-2023-4473) is a critical flaw (9.8 points) in the Zyxel NAS web server that can be exploited in a similar manner.
- Finally, the sixth bug (CVE-2023-4474) is another critical issue (9.8 points) caused by incorrect neutralization of specific elements in the WSGI server.
Zyxel recognized the high-quality work of three researchers, Maxim Suslov, Gábor Selján and Drew Balfour, in identifying problems in the security system. Zyxel conducted a “thorough investigation” to identify the devices affected by the defects, including network storage models NAS326 and NAS542.
The Taiwanese manufacturer has not yet announced any possible remedies or workarounds to protect the NAS from the new defects. To protect their data from cybercriminals, users need to install the following firmware updates: V5.21 (AAZF.15)C0 for NAS326 and V5.21(ABAG.12)C0 for NAS542.