« Back to all recent discussions

Zyxel security advisory for the remote code execution vulnerability of NAS products

Zyxel_SupportZyxel_Support Posts: 431  Zyxel Moderator
edited March 12 in Discussions
The advisory page: 
https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml

Summary

Zyxel NAS (Network Attached Storage) and firewall products are affected by a remote code execution vulnerability. Users are advised to install the standard firmware patches or follow the workaround immediately for optimal protection.

What is the vulnerability?

A remote code execution vulnerability was identified in the weblogin.cgi program used in Zyxel NAS and firewall products. Missing authentication for the program could allow attackers to perform remote code execution via OS command injection.

What products are vulnerable—and what should you do?

After a thorough investigation of the complete product lines, we’ve confirmed that the vulnerability affects the following products running specific firmware versions:

NAS products running firmware version 5.21 and earlier.

We’ve identified the vulnerable products that are within their warranty and support period, as shown in the table below. For optimal protection, we urge users to install the standard firmware immediately.


Standard Availability

NAS326: Available now. Firmware V5.21(AAZF.7)C0 
NAS520: Available now. Firmware V5.21(AASZ.3)C0 
NAS540: Available now. Firmware V5.21(AATB.4)C0 
NAS542: Available now. Firmware V5.21(ABAG.4)C0 (ftp://ftp2.zyxel.com/NAS542/firmware/NAS542_V5.21(ABAG.4)C0.zip)

An FAQ for NAS firmware update process is also available at https://homeforum.zyxel.com/discussion/3370/faq-upgrading-latest-nas-remote-code-execution-vulnerability-firmware#latest

For affected products that reached end-of-support in 2016 or earlier, firmware updates are no longer provided. We strongly recommend that users follow the workaround procedure, as detailed below, to remediate the vulnerability.
Affected models that are end-of-support:
NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
Workaround: Do not leave the product directly exposed to the internet. If possible, connect it to a security router or firewall for additional protection.

Got a question or a tipoff?

Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact '[email protected]' and we’ll get right back to you.

Acknowledgment

Thanks to Brian Krebs, an independent investigative journalist, for reporting the issue to us and CERT/CC for coordinating the disclosure process.

«1

Comments

  • benebene Posts: 3  Junior Member
    I have a NAS542 running at home. As soon as I heard from that problem today, I installed the hotfix. The problem is, now I cannot login anymore to the webinterface. The NAS did an automatic reboot and I still see my Samba shares. I can also login via ssh but using the same credentials, the webinterface says my password is wrong. How can I login again?
  • eozrocwdeozrocwd Posts: 45  Junior Member
    Do you mean when used the same password that you can login via SSH, but not able to login web interface? Please make sure the password is correct. Otherwise, you can reset NAS542 as default password.

    User's Guide:
    https://www.zyxel.com/support/download_landing/product/nas540_22.shtml?c=gb&l=en&pid=20131231165121&tab=User_s_Guide&pname=NAS540

  • Michael1122Michael1122 Posts: 1
    edited February 26
    The same for me (NAS326). My old password is gone. "1234", the usual zyxel-bad-word doesn't work either.
  • benebene Posts: 3  Junior Member
    I am 100% sure that it is the correct password. I use a password manager and I always use and used cope&paste to put the password. I had set the same password to login via SSH and in the webinterface. SSH is still working, weblogin not (as explained with copy&paste, that's why I can exclude typos 100%).
    What else do I reset, with the described method? Is there any loss of data possible?
  • TeemoTeemo Posts: 46  Junior Member
    edited February 27

    I have NAS326 and NAS540, both are updated this hotfix firmware.
    But I don't encountered your's problem.

    May I know does your NAS device set some special characters in password?
  • CookiemomoCookiemomo Posts: 12  Junior Member
    Thanks for fix update... Downloading
  • Zyxel_EricZyxel_Eric Posts: 128  Zyxel Moderator
    edited February 27
    Dear All,

    If you have occurred the issue that cannot access GUI via your original password after uploading the Hotfix firmware, please follow the below steps to reset your password.
    1) Please process the reset button at the back of NAS for 2 seconds, and you will hear one beep sound, then release the button.
    2) Please access the Web GUI, and log in with admin/ 1234 to set up your New password for NAS.


    Please note,

    1. Please don't contain any special character in your password. 
    2. This reset will not erase all configuration of NAS, it will only reset the password for admin and the Network IP.  
    3. If the IP of NAS was set for Manually, the IP would switch to Automatically after the reset. Please access Web GUI >> Control Panel >> Network >> TCP/IP >> Network Interface to reconfig the Network Settings.
    4. This reset will not cause any data loss or damage in your NAS or Disks.
    5. If there are other guest accounts in your NAS which contain special characters in their password, please inform the admin to change the password.

    Best Regards,
    Eric
  • MaccaLMaccaL Posts: 2  Junior Member
    Also having this problem on NAS326. Here a more detailed explanation of what works and what does not:
    - User admin cannot login via web interface.
    - User admin cannot login via launching token based authentication from  "DeskTop" from NAS Starter Utility.
    - User admin can still login via ssh. This proves that password still works.
    - All other users can login via web interface or token-based from NAS Starter Utility.
  • benebene Posts: 3  Junior Member
    After the reset, I was able to set a new password and login again.
    One question though: are you seriously saying, that special characters are not allowed in the password?
  • MijzelfMijzelf Posts: 1,073  Heroic Warrior Member
    For the owners of an older box which isn't patched by ZyXEL, I have added a patch to my Tweaks package. More info here.

    @bene: The vulnerability is caused by a badly filtered url input. I think ZyXEL now rigorously removes all (url) encoded characters.

  • MaccaLMaccaL Posts: 2  Junior Member
    A quick update to my previous post: In fact there is one of the special characters !§$%&? etc. in the password that no longer works. However, current password policies usually enforce the password to consist of
    - lower case letters
    - upper case letters
    - numbers
    - special characters

    @Zyxel: Please improve your solution to filter the input strings! Special characters are mandatory in passwords! You can't be serious to disallow special characters.
  • To33yTo33y Posts: 1
    The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
  • OrrbyOrrby Posts: 3  Junior Member
    Nas540 infected with this ransom ware, what should i do?
    I have the ransom.txt in every folder, but no files is encrypted yet? i have backup of the cruzial files but have u bunch of videos etc that i dont have backup for.
    Installed the new firmware today, i can access my files etc but wonder is the ransomware still active or whiped out with the new firmware?
    What can i do? How do i run a malware program on the nas to check?

    / Thanks
  • MijzelfMijzelf Posts: 1,073  Heroic Warrior Member
    Do not assume the ransomware is gone with installing the new firmware. It's trivial to install something on the NAS which will survive reboots and firmware upgrades.
    How do i run a malware program on the nas to check?
    You can't. You can enable the ssh server, login over ssh and run 'ps' to see if there are any suspicious processes. Or you can try to find the ransomware on disk. I wrote about that here.

    Further you can try to save your files by copying them, or by switching off the NAS. In the latter case you'll have to use another Linux system to read the disks.



  • OrrbyOrrby Posts: 3  Junior Member
    Ok, i have now backup of everything i need so today i plan to do a full reset of the nas.
    Only thing is that it´s years ago i did any thing in this nas so i don´t remember the steps yet :) 3x 4tb wd red discs in raid 5? Any pointers?
Sign In or Register to comment.