« Back to all recent discussions

Issues with firmware V5.21(AAZF.7) on NAS326

chris1284chris1284 Posts: 1
edited March 7 in Discussions
Hi, 
After installing firmware V5.21(AAZF.7) on my NAS326 there are some issues:

1. password broken after reboot -> passwort reset works but the NAS dosn't accept passwords with "#" in there
2. RSYNC that uses normally the admin password is not working with the new password (and not with the old one)

is there a solution to set the rsync pw on the nas so that i can logon to the rsync service again?



#NAS_Mar_2020
Tagged:
«1

Comments

  • mirtomimirtomi Posts: 1
    Same issue here on NAS540, cannot access the web interface after firmware upgrade, password contains "#". Any solutions?
  • Bob2701Bob2701 Posts: 3  Junior Member
    Hmm, I guess I'll wait a while.
  • MijzelfMijzelf Posts: 1,073  Heroic Warrior Member

    @Bob2701: Also read that thread. The previous firmware has a vulnerability which is actively exploited.
  • MelMel Posts: 71  Warrior Member
    As far as I know, to avoid the remote code execution vulnerability, the password doesn't accept special characters !  #  $  %  &  (  -  |.
  • MijzelfMijzelf Posts: 1,073  Heroic Warrior Member
    @Mel: Do you have a source for that? I don't see how ! - ( can trigger the bug, and am missing the ;
  • TukemoniTukemoni Posts: 5  Junior Member
    Hi. I have same issue after update. I can't login via web interface ("The username or password is incorrect."), ssh is working normally with old password. Also file sharing working normally and I can login via Mac finder. My password also includes special character(s). If Mel is right, I could try to change password, but how to do it via ssh?
  • MijzelfMijzelf Posts: 1,073  Heroic Warrior Member
    how to do it via ssh?

    You can try to use smbpasswd. If you have changed your password using smbpasswd, you also have to change it once again in the webinterface, to trigger storage in flash.

  • TukemoniTukemoni Posts: 5  Junior Member
    Thanks, but I will backup and try password resetting with a button as advised.
  • masterflaimasterflai Posts: 17  Junior Member
    The "solution" provided by ZyXEL is hopefully just a workaround. After the patch I installed the provided firmware upgrade on NAS540 and NAS326 and I was able to edit the password for the admin user within the configuration menu. There was no claim regarding a '!' in the password. Enter new password, save the configuration and login again. Voila, the password will be prompted as incorrect in cause of the missing symbol. In fact, the new firmware accepts symbols by changing the user password via menu, but the login screen is protected against the vulnerability. Sorry ZyXEL, but these were the last products I bought from you.
  • Zyxel_StevenZyxel_Steven Posts: 246  Zyxel Moderator
    To fix the remote code execution vulnerability, the latest firmware doesn't allow special characters !  #  $  %  &  (  -  | as password.

    There is a known issue that user can modify password included special characters !  #  $  %  &  (  -  | when go to Control Panel > Users > Edit User, but user will not able to login after changed password included special characters !  #  $  %  &  (  -  |. We will fix it in next official firmware to comprehensive forbid special characters !  #  $  %  &  (  -  |.

    If user cannot login the web interface with password included special characters !  #  $  %  &  (  -  | after firmware update is finished, please press the hardware reset button at the back of NAS for 2 seconds, and will hear one beep sound, then release the hardware reset button. This resets the NAS's IP address and password to the default setting (admin/1234).

    Please note,
    1. This reset will not erase all configuration of NAS device, it will only reset the password for admin and the network IP.
    2. This reset will not cause any data loss or damage in your NAS device or disk.
    3. If the IP of NAS device was set for manually, the IP would switch to automatically after the reset. Please access Web GUI >> Control Panel >> Network >> TCP/IP >> Network Interface to re-configure the network Settings.
  • masterflaimasterflai Posts: 17  Junior Member
    Thanks for the reply Steven. I resetted the password yesterday with the mentioned method. It was the same procedure after installing the patch before.

    Is it true, that the current status of the firmware is not to use special charaters? If so, why don't ZyXEL also modified the webpage (user administration), where a user can enter a new password?
  • Zyxel_StevenZyxel_Steven Posts: 246  Zyxel Moderator
    edited March 26
    Is it true, that the current status of the firmware is not to use special charaters? If so, why don't ZyXEL also modified the webpage (user administration), where a user can enter a new password?
    @masterflai,
    We will fix it in next official firmware to forbid user can modify the new password include special characters !  #  $  %  &  (  -  | to cause login issue.
  • MijzelfMijzelf Posts: 1,073  Heroic Warrior Member
    @Zyxel_Steven : Can you elaborate on that? I don't see how ! ( and - can trigger the bug. But I can trigger the bug without any of the characters you list here:

    wget http://nas520.lan/adv,/cgi-bin/weblogin.cgi --post-data="username=a';touch /tmp/x;'"

    will create a file /tmp/x

  • masterflaimasterflai Posts: 17  Junior Member
    @Zyxel_Steven : In this context, would not a proper input validation be much more useful and the correct way to deal with the threat? In my eyes, prohibiting special characters is at most a workaround to save time.

    Please dear ZyXEL team, do it better this time. You can do it if you try hard.

  • Zyxel_StevenZyxel_Steven Posts: 246  Zyxel Moderator
    edited March 26

    Updated.

    NAS326: V5.21(AAZF.8)C0
    NAS520: V5.21(AASZ.4)C0
    NAS540: V5.21(AATB.5)C0
    NAS542: V5.21(ABAG.5)C0


    The release note is in the attachment.
Sign In or Register to comment.