[ad_1]
In short: Zyxel is a Taiwanese producer higher recognized for cellular and broadband community merchandise and a few NAS units for network-based storage entry. Two of these NAS merchandise are affected by six harmful vulnerabilities, for which the corporate already supplied a safety replace.
Zyxel has just lately launched a new safety advisory for a bunch of safety vulnerabilities found within the firm’s NAS units. The six flaws may very well be abused to bypass authentication protocols and inject malicious instructions within the NAS OS, Zyxel has warned. Customers are suggested to put in the already accessible safety patches for “optimum safety” of their community storage setups.
The newly-discovered vulnerabilities, which embody three vital flaws with very excessive severity scores, are described within the following CVE-tracked bulletins: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474. The primary flaw (CVE-2023-35137) has a severity rating of seven.5 and pertains to an improper authentication within the Zyxel NAS units that would enable an unauthenticated attacker to acquire system data with a particularly crafted URL.
The second flaw (CVE-2023-35138) is a vital vulnerability (9.8 severity rating) within the “show_zysync_server_contents” operate, Zyxel explains, which may present hackers with a approach to execute “some” OS instructions by sending a selected HTTP POST request. The third flaw (CVE-2023-37927) is a high-severity bug (8.8) with improper neutralization of particular parts within the CGI program, which may enable attackers to execute OS instructions by sending a crafted URL.
The fourth flaw (CVE-2023-37928) is a post-authentication command injection vulnerability (8.8) within the WSGI server, which may as soon as once more open an OS command execution alternative by way of a malicious URL. The fifth flaw (CVE-2023-4473) is a vital bug (9.8) in Zyxel NAS’ internet server that may very well be exploited the identical method. Lastly, the sixth flaw (CVE-2023-4474) is yet one more vital problem (9.8) arising from the improper neutralization of particular parts within the WSGI server.
Zyxel acknowledged the work finished by three researchers (Maxim Suslov, Gábor Selján, Drew Balfour) in discovering the safety flaws. The corporate carried out a “thorough investigation” to determine the supported units affected by the issues, which embody the NAS326 and NAS542 community storage fashions.
The Taiwanese producer did not present any potential mitigation measures or workaround to protect the units in opposition to the brand new flaws. To maintain their information protected from cyber-criminals, prospects want to put in the next firmware updates: V5.21(AAZF.15)C0 for NAS326, V5.21(ABAG.12)C0 for NAS542.
[ad_2]
Source
