Zyxel security advisory for NAS remote access vulnerability
CVEs: CVE-2020-13364, CVE-2020-13365
Summary
Zyxel NAS products are affected by a remote access vulnerability. Users are advised to install the latest firmware patches immediately for optimal protection.
What is the vulnerability?
A remote access vulnerability was identified in a CGI script for the web application of NAS products. When a user logs in using the unprivileged “admin” user account, the vulnerability could allow the user to start a Telnet or SSH service and generate a password for the “NsaRescueAngel” user account with root privileges. As the vulnerable CGI is a legacy design, it has been removed in the latest firmware of the affected NAS products.
What products are vulnerable—and what should you do?
After a thorough investigation, we have confirmed that the NAS products listed in the below table are affected. We urge users to install the latest firmware immediately for the best protection.
| Device | Latest firmware version |
|---|---|
| NAS326 | V5.21(AAZF.9)C0 |
| NAS520 | V5.21(AASZ.5)C0 |
| NAS540 | V5.21(AATB.6)C0 |
| NAS542 | V5.21(ABAG.6)C0* |
Got a question or a tipoff?
Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact security@zyxel.com.tw and we’ll get right back to you.
Acknowledgment
Daniel Nussko, an independent researcher from Germany
Revision history
2020-8-5: Initial release