Zyxel warns of multiple critical vulnerabilities in NAS devices

Trending 3 months ago

Zyxel warns of assorted analytical vulnerabilities in NAS devices

Zyxel has addressed assorted aegis issues, including three analytical ones that could acquiesce an counterfeit antagonist to assassinate operating arrangement commands on accessible network-attached accumulator (NAS) devices.

Zyxel NAS systems are acclimated for autumn abstracts in a centralized area on the network. They are advised for high volumes of abstracts and action appearance like abstracts backup, media streaming, or customized administration options.

Typical Zyxel NAS users accommodate baby to medium-sized businesses gluttonous a band-aid that combines abstracts management, alien work, and accord features, as able-bodied as IT professionals ambience up abstracts back-up systems, or videographers and agenda artists alive with ample files.

In a security bulletin today, the bell-ringer warns of the afterward flaws impacting NAS326 accessories active adaptation 5.21(AAZF.14)C0 and earlier, and NAS542 with adaptation 5.21(ABAG.11)C0 and earlier.

  • CVE-2023-35137: Improper affidavit vulnerability in Zyxel NAS devices' affidavit module, acceptance counterfeit attackers to access arrangement advice via a crafted URL. (high-severity account of 7.5)
  • CVE-2023-35138: Command bang blemish in the "show_zysync_server_contents" action in Zyxel NAS devices, allowing counterfeit attackers to assassinate OS commands through a crafted HTTP POST request. (critical-severity account of 9.8)
  • CVE-2023-37927: Vulnerability in Zyxel NAS devices' CGI program, enabling accurate attackers to assassinate OS commands with a crafted URL. (high-severity account of 8.8)
  • CVE-2023-37928: Post-authentication command bang in Zyxel NAS devices' WSGI server, acceptance accurate attackers to assassinate OS commands via a crafted URL. (high-severity account of 8.8)
  • CVE-2023-4473: Command bang blemish in the web server of Zyxel NAS devices, allowing counterfeit attackers to assassinate OS commands through a crafted URL. (critical-severity account of 9.8)
  • CVE-2023-4474: Vulnerability in the WSGI server of Zyxel NAS devices, acceptance counterfeit attackers to assassinate OS commands with a crafted URL. (critical-severity account of 9.8)

Threat actors could accomplishment the vulnerabilities aloft to accretion crooked access, assassinate some operating arrangement commands, access acute arrangement information, or to booty complete ascendancy of the afflicted Zyxel NAS devices. 

To abode these risks, users of NAS326 are recommended to advancement to adaptation V5.21(AAZF.15)C0 or later. Users of NAS542 should advancement their firmware to V5.21(ABAG.12)C0 or later, which fix the aloft flaws.

The vendor has provided no acknowledgment admonition or workarounds, a firmware amend actuality the recommended action.