Zyxel NAS Vulnerabilities: A Critical Call for Patching

Zyxel, a leading provider of networking solutions, has recently released patches addressing a series of critical vulnerabilities affecting their NAS products. These vulnerabilities pose a significant risk to device security, potentially allowing unauthorized access and execution of malicious commands.

CVE-2023-35138

Unraveling the Vulnerabilities

The identified vulnerabilities span a range of severity levels, ranging from a CVSS score of 7.5 to 9.8. Let’s delve into each vulnerability to understand the potential risks:

  1. CVE-2023-35137: Improper Authentication

This vulnerability allows an unauthenticated attacker to gather system information by sending a crafted URL to the affected device. The attacker could exploit this vulnerability to gain insights into the device’s configuration, potentially paving the way for further attacks.

  1. CVE-2023-35138: Command Injection

This vulnerability, with a CVSS score of 9.8, allows an unauthenticated attacker to execute arbitrary commands on the affected device. By sending a crafted HTTP POST request, the attacker could gain complete control over the device, potentially compromising sensitive data or disrupting critical operations.

  1. CVE-2023-37927: Improper Neutralization of Special Elements

This vulnerability allows an authenticated attacker to execute arbitrary commands by sending a crafted URL to the affected device. The attacker could exploit this vulnerability to escalate privileges and gain unauthorized control over the device’s functionality.

  1. CVE-2023-37928: Post-Authentication Command Injection

This vulnerability allows an authenticated attacker to execute arbitrary commands by sending a crafted URL to the affected device. Similar to CVE-2023-35138, this vulnerability poses a significant risk of unauthorized control and data compromise.

  1. CVE-2023-4473: Command Injection

This vulnerability allows an unauthenticated attacker to execute arbitrary commands by sending a crafted URL to the affected device. The attacker could exploit this vulnerability to gain unauthorized access and disrupt critical operations.

  1. CVE-2023-4474: Improper Neutralization of Special Elements

This vulnerability allows an unauthenticated attacker to execute arbitrary commands by sending a crafted URL to the affected device. Similar to CVE-2023-37927, this vulnerability poses a risk of unauthorized access and control.

Protecting Your Zyxel NAS Devices

To mitigate the risks associated with these vulnerabilities, Zyxel has released patches for the affected NAS products. It is crucial for users to promptly install these patches to safeguard their devices from potential exploits.

Here’s a summary of the affected models, affected versions, and patch availability:

Affected Model Affected Version Patch Availability
NAS326 V5.21(AAZF.14)C0 and earlier V5.21(AAZF.15)C0
NAS542 V5.21(ABAG.11)C0 and earlier V5.21(ABAG.12)C0
  • Enabling strong passwords and multi-factor authentication
  • Regularly updating firmware and software
  • Limiting access to the NAS device to authorized users
  • Implementing a comprehensive network security strategy

By implementing these measures, organizations can significantly reduce the risk of unauthorized access and maintain the integrity of their Zyxel NAS devices.