Multiple vulnerabilities have been discovered in Zyxel NAS (Network Attached Storage) products, posing a significant risk of command injection. These vulnerabilities, detailed below, could enable attackers to execute system commands, potentially leading to unauthorized access and control over affected devices. Zyxel has promptly responded by releasing patches to address these security concerns, prioritizing the protection of user data and network integrity.
Command Injection Vulnerabilities:
- CVE-2023-35138: This vulnerability affects the “show_zysync_server_contents” function of Zyxel NAS devices, enabling unauthenticated attackers to execute operating system commands via crafted HTTP POST requests, with a severity rating of 9.8 (Critical).
- CVE-2023-37928: This post-authentication command injection flaw resides in the WSGI server of NAS devices. By exploiting this vulnerability with a crafted URL, threat actors can execute OS commands on affected devices, rated at 8.8 in severity (High).
- CVE-2023-4473: Present in the web server of Zyxel NAS devices, this vulnerability permits unauthenticated threat actors to execute OS commands through crafted URLs, with a severity rating of 9.8 (Critical).
Acknowledging the responsible disclosure of these vulnerabilities by security researchers, Zyxel credits Maxim Suslov for CVE-2023-35138 and Attila Szász from BugProve for CVE-2023-37928 and CVE-2023-4473, along with Drew Balfour from IBM X-Force for CVE-2023-4473.
In addition to addressing these specific vulnerabilities, Zyxel has released patches to rectify a total of 15 security issues affecting NAS, firewall, and access point (AP) devices. Among these, three critical flaws, including the aforementioned command injection vulnerabilities, have been identified as potential pathways for authentication bypass and unauthorized command execution. These patches aim to fortify the security posture of Zyxel devices, reducing the risk of exploitation by threat actors.
It’s imperative for users to promptly apply these updates to mitigate potential threats, especially considering the history of Zyxel devices being targeted by malicious actors. By staying vigilant and ensuring their devices are up to date, users can bolster their defenses against evolving cybersecurity risks.