Zyxel is warning its NAS (Network Attached Storage) devices users to update their firmware to fix a critical severity command injection vulnerability.
The newly discovered vulnerability, CVE-2023-27992, is a pre-authentication command injection problem that could allow an unauthenticated attacker to execute operating system commands by sending specially crafted HTTP requests.
The flaw was discovered by Andrej Zaujec, NCSC-FI, and Maxim Suslov and has received a CVSS v3 score of 9.8, rating it “critical.”
The impacted devices, firmware versions, and the patched releases are:
- NAS326 – impacts V5.21(AAZF.13)C0 and earlier, fixed in V5.21(AAZF.14)C0
- NAS540 – impacts V5.21(AATB.10)C0 and earlier, fixed in V5.21(AATB.11)C0
- NAS542 – impacts V5.21(ABAG.10)C0 and earlier, fixed in V5.21(ABAG.11)C0
Zyxel has provided no workarounds or mitigations for CVE-2023-27992 in its latest advisory, so users of the impacted NAS devices are recommended to apply the available security updates as soon as possible.
BleepingComputer also strongly advises that all NAS owners not expose their devices to the Internet and make them only accessible from the local network or through a VPN. Simply placing the NAS device behind a firewall will significantly reduce its exposure to new vulnerabilities, as threat actors cannot easily target them.
Currently, the complexity of the malicious HTTP request and other conditions to exploit the new vulnerabilities are unknown. Yet, the fact that exploitation does not require authentication makes this flaw easier to exploit.
Hackers are always searching for critical flaws on Zyxel devices that can be exploited remotely and are quick to adopt publicly available PoC (proof of concept) exploits to attack devices that haven’t been patched to a secure firmware version.
NAS devices are a particularly enticing target for ransomware operations that remotely exploit vulnerabilities to encrypt files and issue ransom demands. In the past, QNAP and Synology NAS devices have been targeted by ransomware in widespread attacks.
Just last month, Zyxel users of firewalls and VPN products came under massive attack waves from Mirai-based botnets and were possibly targeted by more selective and sophisticated threat actors.
The attackers actively targeted the CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010 flaws, impacting ATP, USG FLEX, VPN, and ZyWALL devices.
At the beginning of June, the vendor published a security advisory containing guidance on protecting these products against the attacks that had been ongoing for over a month.
That said, taking prompt action to secure Zyxel NAS devices and their valuable data is crucial, as attacks may start at any moment now.
Source: https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-command-injection-flaw-in-nas-devices/