Warning – Zxyel patches critical format string vulnerability affecting 3 NAS models

Published : 08/09/2022

Reference:
Advisory #2022-024

Version:
1.0

Affected software:
NAS326 V5.21(AAZF.11)C0 and earlier
NAS540 V5.21(AATB.8)C0 and earlier
NAS542 V5.21(ABAG.8)C0 and earlier

Type:
Format String Vulnerability

CVE/CVSS:
CVE-2022-34747

Sources

https://www.zyxel.com/support/Zyxel-security-advisory-for-format-string-vulnerability-in-NAS.shtml

Risks

An attacker could exploit CVE-2022-34747 to achieve unauthorized remote code execution (RCE) via a crafted UDP packet. NAS devices are an interesting target for ransomware attackers as initial vector and to encrypt backups stored on the NAS device. Encrypted backups make it harder to restore from a ransomware, which forces the victim to pay the ransom.

Description

On the 6^th of September, networking provider Zyxel released a security advisory to warn users of a critical format string vulnerability found in three Zyxel NAS models:

NAS326 V5.21(AAZF.11)C0 and earlier
NAS540 V5.21(AATB.8)C0 and earlier
NAS542 V5.21(ABAG.8)C0 and earlier

Recommended Actions

The Centre for Cyber Security Belgium recommends administrators of Zyxel NAS appliances to patch vulnerable Zyxel NAS devices.

The CCB strongly recommends to not expose NAS appliances to the internet. NAS devices should be configured behind a firewall.

References

https://www.securityweek.com/zyxel-patches-critical-vulnerability-nas-firmware