Security News > 2023 > December > Critical Zyxel NAS vulnerabilities patched, update quickly!
Zyxel has patched six vulnerabilities affecting its network attached storage devices, including several command injection flaws that can be easily exploited by unauthenticated attackers.
One of the six plugged security holes is an improper authentication vulnerability in the devices' authentication module, and may allow unauthenticated attackers to grab system information by sending a specially crafted URL to a vulnerable device.
The remaining five are command injection vulnerabilities in Zyxel NAS devices' various functions and servers.
"During the course of investigating the original issue's root cause, a new flaw, CVE-2023-4473, and a bypass for the CVE-2023-27992 patch were uncovered. Combined, they allow for pre-authenticated remote code execution on Zyxel NAS devices," Balfour noted in a blog post published on Thursday, in which he detailed his research.
Zyxel NAS devices are a popular choice with small to medium-sized businesses, who use them for data storage, backup, and to enable collaboration.
In 2020, 62,000 QNAP NAS devices across the globe were infected with malware that stole sensitive information, established a backdoor into the system, and persisted on the devices by preventing updates from being installed.
News URL
https://www.helpnetsecurity.com/2023/12/01/zyxel-nas-vulnerabilities/
Related news
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- D-Link won’t fix critical flaw affecting 60,000 older NAS devices (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Critical bug in EoL D-Link NAS devices now exploited in attacks (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical vulnerabilities persist in high-risk sectors (source)
- Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-30 | CVE-2023-4473 | OS Command Injection vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware A command injection vulnerability in the web server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device. | 9.8 |
| 2023-06-19 | CVE-2023-27992 | OS Command Injection vulnerability in Zyxel Nas326 Firmware, Nas540 Firmware and Nas542 Firmware The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. | 9.8 |