Warning – Zxyel patches critical format string vulnerability affecting 3 NAS models
Reference:
Advisory #2022-024
Version:
1.0
Affected software:
NAS326 V5.21(AAZF.11)C0 and earlier
NAS540 V5.21(AATB.8)C0 and earlier
NAS542 V5.21(ABAG.8)C0 and earlier
Type:
Format String Vulnerability
CVE/CVSS:
CVE-2022-34747
Date:
08/09/2022
Sources
Risks
An attacker could exploit CVE-2022-34747 to achieve unauthorized remote code execution (RCE) via a crafted UDP packet. NAS devices are an interesting target for ransomware attackers as initial vector and to encrypt backups stored on the NAS device. Encrypted backups make it harder to restore from a ransomware, which forces the victim to pay the ransom.
Description
On the 6th of September, networking provider Zyxel released a security advisory to warn users of a critical format string vulnerability found in three Zyxel NAS models:
- NAS326 V5.21(AAZF.11)C0 and earlier
- NAS540 V5.21(AATB.8)C0 and earlier
- NAS542 V5.21(ABAG.8)C0 and earlier
Recommended Actions
The Centre for Cyber Security Belgium recommends administrators of Zyxel NAS appliances to patch vulnerable Zyxel NAS devices.
The CCB strongly recommends to not expose NAS appliances to the internet. NAS devices should be configured behind a firewall.
References
https://www.securityweek.com/zyxel-patches-critical-vulnerability-nas-firmware