Critical Zyxel NAS vulnerabilities patched, update quickly!

Zyxel has patched six vulnerabilities affecting its network attached storage (NAS) devices, including several (OS) command injection flaws that can be easily exploited by unauthenticated attackers.

The vulnerabilities in Zyxel NAS devices

One of the six plugged security holes is an improper authentication vulnerability (CVE-2023-35137) in the devices’ authentication module, and may allow unauthenticated attackers to grab system information by sending a specially crafted URL to a vulnerable device.

The remaining five (CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474) are command injection vulnerabilities in Zyxel NAS devices’ various functions and servers. They may allow either authenticated or unauthenticated attackers to execute some OS commands by simply sending a crafted URL or HTTP POST request to a vulnerable device.

CVE-2023-4473 was discoverd by IBM X-Force researcher Drew Balfour while investigating a previously fixed critical Zyxel NAS bug (CVE-2023-27992).

“During the course of investigating the original issue’s root cause, a new flaw, CVE-2023-4473, and a bypass for the CVE-2023-27992 patch were uncovered. Combined, they allow for pre-authenticated remote code execution on Zyxel NAS devices,” Balfour noted in a blog post published on Thursday, in which he detailed his research.

CVE-2023-27992 has been added to CISA’s Known Exploited Vulnerabilities Catalog on June 23, 2023. According to the agency, it’s still unknown whether it has been used in ransomware campaigns.

What to do?

Zyxel NAS devices are a popular choice with small to medium-sized businesses (SMBs), who use them for data storage, backup, and to enable collaboration.

NAS devices by various manufacturers are often targeted by attackers, who exfiltrate or encrypt data stored on them and hold it for ransom. Attackers have also been known to lay low and exploit the access they have to vulnerable devices to rope them into botnets or use them as a stepping stone for a more thorough compromise of the target’s network.

In 2020, 62,000 QNAP NAS devices across the globe were infected with malware that stole sensitive information, established a backdoor into the system, and persisted on the devices by preventing updates from being installed.

Zyxel does not mention in-the-wild exploitation in their advisory, but urges users to install the patches “for optimal protection.”

Patches are available for NAS326 and NAS542 devices.

UPDATE (December 5, 2023, 05:10 a.m. ET):

Four of the patched vulnerabilities were reported by BugProve researcher Gábor Selján. Technical details are outlined in these vulnerability advisories.