Top NAS devices are being targeted by this dangerous malware
Zyxel warns users to patch up now
IoT cybersecurity company Sternum has identified a security vulnerability affecting Zyxel Networks’ Linux-operated NAS drives, including NAS326, NAS540, and NAS542 models, running on firmware version 5.21.
Zyxel Networks’ advisory reads: “The post-authentication command injection vulnerability has been found in the web management interface of some NAS versions,” citing firmware 5.21 and previous versions.
Users are being urged to patch their NAS drives with the latest firmware, which is also identified as 5.21, in order to protect their devices.
Zyxel Networks NAS patch
Specifically, NAS326 owners are being told to update from 5.21 (AAZF.12)C0 to (AAZF.13)C0, NAS540 from (AATB.9)C0 to (AATB.10)C0, and NAS542 from (ABAG.9)C0 to (ABAG.10)C0. The updates are available from the Zyxel website.
Sternum’s Noam Zhitomirsky, Reuven Yakar, Dean Zavadski, and Amit Serper are credited with notifying the NAS maker of the vulnerability, which was marked as CVE-2023-27988 on May 30, 2023.
In a press release, Sternum said: “Sternum security researchers were in the process of scanning one of the Zyxel NAS units as part of the company's standard lab deployment process when a “Dangerous String Format” alert was triggered by one of the security logics in the Sternum security platform.”
The problem was pinpointed as being with the ntpdate_date process, which left a vulnerability allowing an authenticated user to execute an arbitrary system command with root privileges on the system.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sternum stressed that this could allow hackers to inject remote malware onto unsuspecting NAS drive owners’ devices.
While Zyxel’s quickly-issued patch will fix the issue, Sternum’s researchers believe that other companies’ drives could be vulnerable to similar issues, urging customers and consumers to always keep an eye out for company announcements and apply patches as soon as they become available.
- Looking to take your storage entirely off-prem? Check out the best cloud storage providers
With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!