Zyxel Releases Security Update

Update addresses three critical and three high vulnerabilities in several Network Attached Storage (NAS) devices

Threat ID:: CC-4416
Threat Severity:: Medium
Published:: 5 December 2023 3:23 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Update addresses three critical and three high vulnerabilities in several Network Attached Storage (NAS) devices

Affected platforms

The following platforms are known to be affected:

Versions: V5.21(AAZF.14)C0 and earlier

Zyxel NAS326

Versions: V5.21(ABAG.11)C0 and earlier

Zyxel NAS542

Threat details

Introduction

Zyxel has released a security update to address three critical and three high vulnerabilities in network adjacent storage devices.

Vulnerability details

CVE-2023-35138 - CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

This is a command injection vulnerability, with a CVSS score of 9.8, affecting the “show_zysync_server_contents” function in Zyxel NAS devices. This vulnerability could allow an unauthenticated attacker to execute specific operating system commands by sending a crafted HTTP POST request.

CVE-2023-4473 - CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

This is a command injection vulnerability, with a CVSS score of 9.8, affecting the web server in Zyxel NAS devices. This vulnerability could allow an unauthenticated attacker to execute specific operating system commands by sending a crafted URL to a system.

CVE-2023-4474 - CWE-138 - Improper Neutralization of Special Elements

This is an improper neutralisation vulnerability, with a CVSS score of 9.8, affecting special elements in the WSGI server in Zyxel NAS devices. This vulnerability could allow an unauthenticated attacker to execute operating system commands by sending a crafted URL to a vulnerable device.

CVE-2023-37928 - CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

This is a post-authentication command injection vulnerability, with a CVSS score of 8.8, affecting the WSGI server in Zyxel NAS devices. This vulnerability could allow an authenticated attacker to execute specific OS commands by sending a crafted URL to a vulnerable device.

CVE-2023-35137 - CWE-287 - Improper Authentication

This is an improper authentication vulnerability, with a CVSS score of 7.5, within the authentication module of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0. This vulnerability could allow an unauthenticated attacker to obtain system information by sending a crafted URL to a vulnerable device.

CVE-2023-37927 - CWE-138 - Improper Neutralization of Special Elements

This is an improper neutralisation vulnerability, with a CVSS score of 8.8, affecting special elements in the CGI program of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0. This vulnerability could allow an authenticated attacker to execute specific operating system (OS) commands by sending a crafted URL to a vulnerable device.

Remediation advice

Affected organisations are encouraged to review Zyxel's security advisory and apply relevant updates and mitigations.

Definitive source of threat updates

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products

CVE Vulnerabilities

Status Published

CVE-2023-35137

An improper authentication vulnerability in the authentication module of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to obtain system information by sending a crafted URL to a vulnerable device.

Status Published

CVE-2023-35138

A command injection vulnerability in the “show_zysync_server_contents” function of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

Status Published

CVE-2023-37927

The improper neutralization of special elements in the CGI program of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

Status Published

CVE-2023-37928

A post-authentication command injection vulnerability in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

Status Published

CVE-2023-4473

A command injection vulnerability in the web server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

Status Published

CVE-2023-4474

The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

Last edited: 5 December 2023 3:32 pm