Zyxel Updates NAS Devices to Fix Potential Security Flaw

Shaposhnikov Ilya alerted about a major security vulnerability, targeting Zyxel's network-attached storage (NAS) device. The vulnerability was identified as CVE-2022-3474 and the patches for the same were released. The vulnerability officially described as a 'format string vulnerability' affects Zyxel NAS326 firmware versions before V5.21(AAZF.12)C0 and has a CVSS score of 9.8/10.

An attacker could take advantage of the issue by sending specially created UDP packets to vulnerable products. The firm said in an alert that a successful flaw exploit might allow a hacker to run whatever code they want on the vulnerable device.

Zyxel provided security upgrades in May 2022 to address a number of vulnerabilities impacting a variety of products, including firewall, AP, and AP controller products.

The following versions are affected by the flaw:

• NAS326 (versions before V5.21(AAZF.11)C0)
• NAS540 (versions prior to V5.21(AATB.8)C0), and
• Prior to V5.21(ABAG.8)C0, NAS542

This revelation follows Zyxel's July patching of the CVE-2022-30526 and CVE-2022-2030 vulnerabilities impacting its firewall products, which affect local root access and authenticated directory traverse.

The four vulnerabilities with the command injection bug in some CLI commands classified as CVE-2022-26532 being the most critical are as follows: 

• CVE-2022-0734: A cross-site scripting vulnerability was found in the CGI program of various firewall versions, which could let an attacker use a malicious script to access data stored in the user's browser, like cookies or session tokens.

• CVE-2022-26531: Several erroneous input validation problems were discovered in several CLI commands of some firewall, AP controller, and AP versions that might let a local authorized attacker bring down the system or trigger a buffer overflow through the use of a specially crafted payload.

• CVE-2022-26532: Certain firewall, AP controller, and AP versions contain the 'packet-trace' CLI command that contains a command injection vulnerability that might allow a local, authorized attacker to execute arbitrary OS instructions by providing specially crafted inputs to the function.

• CVE-2022-0910: In the CGI program of various firewall versions, an authentication bypass issue resulting from a deficient access control mechanism has been discovered. An attacker may be able to use an IPsec VPN client to switch from two-factor verification to one-factor verification due to the bug.

A few days after QNAP issued a warning about a fresh wave of Deadbolt ransomware attacks aimed at its NAS consumers, Zyxel released its caution. 

In earlier assaults that exploited another critical-severity vulnerability resulting in remote code execution, a Mirai botnet variant targeted Zyxel NAD products.

Remote code execution flaws in NAS devices, which are frequently used to store massive amounts of data, might easily result in complete device compromise. NAS devices are frequently the target of ransomware assaults.