installing last version of micro program on NAS 326 stop present , known threat?

LBar

Date de publication : 09/09/2022

CVE-2022-34747[Score CVSS v3.1:9.8]
Une vulnérabilité au niveau du formatage de chaines de caractères dans certains produits Zyxel NAS permet à un attaquant, en envoyant des requêtes UDP spécialement forgées, d’exécuter du code arbitraire sur le système.

please confirm me I'm Ok by installing last version of micro program regarding that issue

best regards

Luc

Zyxel_Jerry

Hi @LBar

The issue has been fixed in the latest firmware.
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-format-string-vulnerability-in-nas

Mijzelf

@Zyxel_Jerry Can I get more information about this vulnerability? According to BleepingComputer the vulnerability was found in June 2022, and shortly after that the NSA starter utility was EOL'd. Further the release notes of 5.21(AAZF.12)C0 tell that the 'Format string vulnerability' is fixed, and that nsuagent is removed. Can I conclude that nsuagent is the problem?

Zyxel_Jerry

Hi @Mijzelf

We had fixed the” achieve unauthorized remote code execution via a crafted UDP packet.” on the firmware

The NSU utility is an application that was launched for a while and may not be proper for nowadays usage so that we made a decision to terminate this utility. Instead, we’d like to suggest our customers to use “Find me” to discover the NAS.

In order to fulfill the same function beyond this service’s discontinuation, please use “Find me” function to discover your NAS. 

https://community.zyxel.com/en/discussion/13907/nsa-starter-utility-eol-announcement#latest

Mijzelf

@Zyxel_Jerry That's not an answer on my question. I'm searching for more information on the vulnerability to estimate the risk, and possibly mitigate it. Not everyone can upgrade. @bRiX can't because his 4 NAS326 for some unknown reason are not accesible over SMB without NSU. @MRisco can't because he needs CUPS. I can't because my NAS520 is not supported anymore. (While my much older NAS540 is still supported).
When I know which binary or which port is the culprit, I suppose I can disable it using my Tweaks package.

Zyxel_Jerry

Hi @Mijzelf

Solving the issue would require a lot of resources to adjust the structure of the NAS.

And since lots of packages need to do the version upgrade, to keep upgrading these packages, it will be a huge project, so we decide to remove the package on the NAS.

Mijzelf

@Zyxel_Jerry It seems we're talking past each other. I'm not asking to solve the issue for EOS boxes. I am asking for more information about the vulnerability. It has a CVSS score of 9.8, which in my opinion would mean that any script-kiddie could attack my NAS. But I doubt that is true, any consumer router would block the traffic. Unless the box is in DMZ. Or unless the box for some reason initiates the communication channel.
I inventarized the UDP listeners, that are nmbd (137,138), dhcpcd (68), rpcbind (111,706), rpc.mountd (36375), rpc.statd (733,42345), rpc.mountd (42289,41288), avahi-daemon (5353,36060), cupsd (631), timer_source (39618), schedule_contr (22377), uamd (990), nsuagent (50127) and some unknown process at 38648 and one at 41823 (the latter don't show a PID in netstat).
I can't imagine one of 'the big ones', nmbd, rpc*, cupsd, dhcpcd or avahi-daemon would be the problem. In that case it wouldn't be ZyXEL specific. Than remains timer_source, schedule_contr, uamd, nsuagent and both unknown processes.
So which is it? Ilya Shaposhnikov wrote it took him only half an hour to find the vulnerability. I suppose that means that he could sniff the traffic from a client to the UDP server. Which points to nsuagent. Or maybe myZyXELcloud-Agent, which I haven't installed, and I don't know what it does.

Am I right? Which one?

we decide to remove the package on the NAS.

Which package?

Zyxel_Jerry

Hi @Mijzelf,

The issue is caused by the negotiation process from NAS utility to NAS.
There is a daemon made to lessen this specific packet from NAS utility, since we remove the daemon on the NAS. There is no more risk regarding to this case.

The package I mentioned in the previous post is about the issue with the cups, we remove the cups package.