Zyxel, a leading networking solutions provider, has recently published a security advisory addressing critical security vulnerabilities including authentication bypass and command injection vulnerabilities discovered in some of their personal cloud storage products (Specific models affected: NAS326 and NAS542).
Four out of the six critical security vulnerabilities were reported by Gabor Seljan of BugProve, utilizing BugProve’s firmware analysis platform. Detailed advisories were published here and here, with responsible disclosure and coordination between BugProve and Zyxel.
The identified critical security vulnerabilities are assigned the following CVE numbers:
- CVE-2023-37927: Improper neutralization of special elements in the CGI program allows an authenticated attacker to execute OS commands via a crafted URL.
- CVE-2023-37928: A post-authentication command injection vulnerability in the WSGI server enables authenticated attackers to execute OS commands via a crafted URL.
- CVE-2023-4473: Authentication bypass vulnerability allows attackers to circumvent the authentication mechanism of the webserver to gain unauthorized access and exploit other command injection vulnerabilities that would otherwise require authentication.
- CVE-2023-4474: Improper neutralization of special elements in the WSGI server allows unauthenticated attackers to execute OS commands via a crafted URL.
By chaining the authentication bypass vulnerability with post-auth blind OS command injection vulnerabilities, an unauthenticated, remote attacker could perform unauthorized actions in the context of the root user. Addressing these vulnerabilities is crucial as authentication bypass vulnerabilities may eventually be exploited, providing access to previously unavailable attack vectors.
Zyxel has promptly released patches to mitigate these vulnerabilities. Users are strongly advised to install these patches to ensure optimal protection of their NAS products.
For more detailed information and patch downloads, please refer to Zyxel’s official security advisory here.
Always make sure you keep your IoT devices updated! Vulnerabilities detected by malicious actors can be exploited anytime without the fixed firmware versions. Buy from a trusted vendor that keeps managing their products’ security even years after market release.