November 30, 2023 at 10:17AM
Zyxel has patched critical security vulnerabilities in its NAS devices that risked unauthorized command execution and data compromise. Users of NAS326 and NAS542 models must update their firmware to versions V5.21(AAZF.15)C0 and V5.21(ABAG.12)C0 or later, respectively, as there are no alternative mitigations.
**Takeaways from Meeting Notes:**
1. **Issue Identification:**
Zyxel has reported multiple security vulnerabilities, including three critical ones, potentially allowing unauthenticated attackers to execute commands on certain NAS devices.
2. **Affected Systems:**
The issues affect Zyxel’s NAS326 and NAS542 network-attached storage devices below specific firmware versions:
– NAS326: Version 5.21(AAZF.14)C0 and earlier
– NAS542: Version 5.21(ABAG.11)C0 and earlier
3. **Vulnerabilities Summary:**
Six Common Vulnerabilities and Exposures (CVEs) have been disclosed:
– CVE-2023-35137: Improper authentication leading to system info disclosure.
– CVE-2023-35138: Command injection via crafted HTTP POST request.
– CVE-2023-37927: Command execution for authenticated attackers through a crafted URL.
– CVE-2023-37928: Post-authentication command injection in WSGI server.
– CVE-2023-4473: Unauthenticated command injection in the web server.
– CVE-2023-4474: Unauthenticated command execution on WSGI server.
Scores range from 7.5 to 9.8 in severity, with higher scores indicating critical severity.
4. **User Impact:**
Potential threats include unauthorized access, system information theft, operational command execution, or complete control of the NAS devices.
5. **Solution/Recommendation:**
– Users of NAS326 should upgrade to firmware version V5.21(AAZF.15)C0 or later.
– Users of NAS542 should update to firmware version V5.21(ABAG.12)C0 or later.
– No other mitigation strategies or workarounds are advised; a firmware update is the recommended remediation step.
6. **Action Items:**
– Communicate the risks and recommended firmware updates to relevant stakeholders.
– Ensure that affected NAS devices are promptly updated to the latest firmware versions.
– Monitor developments for any additional guidance or mitigation measures.