Zyxel has addressed multiple security issues, including three critical ones that could allow an unauthenticated attacker to execute operating system commands on vulnerable network-attached storage devices. Zyxel NAS systems are used for storing data in a centralized location on the network. They are designed for high volumes of data and offer features like data backup, media streaming, or customized sharing options. Typical Zyxel NAS users include small to medium-sized businesses seeking a solution that combines data management, remote work, and collaboration features, as well as IT professionals setting up data redundancy systems, or videographers and digital artists working with large files. In a security bulletin today, the vendor warns of the following flaws impacting NAS326 devices running version 5.21(AAZF.14)C0 and earlier, and NAS542 with version 5.21(ABAG.11)C0 and earlier. CVE-2023-35137: Improper authentication vulnerability in Zyxel NAS devices' authentication module, allowing unauthenticated attackers to obtain system information via a crafted URL. CVE-2023-35138: Command injection flaw in the "Show zysync server contents" function in Zyxel NAS devices, permitting unauthenticated attackers to execute OS commands through a crafted HTTP POST request. To address these risks, users of NAS326 are recommended to upgrade to version V5.21(AAZF.15)C0 or later. Users of NAS542 should upgrade their firmware to V5.21(ABAG.12)C0 or later, which fix the above flaws. The vendor has provided no mitigation advice or workarounds, a firmware update being the recommended action. QNAP warns of critical command injection flaws in QTS OS, apps. Fortinet warns of critical command injection bug in FortiSIEM. UK and South Korea: Hackers use zero-day in supply-chain attack. Critical bug in ownCloud file sharing app exposes admin passwords. Russian hackers use Ngrok feature and WinRAR exploit to attack embassies.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 20:24:55 +0000