Zyxel security advisory for the remote code execution vulnerability of NAS products



  • MaccaL
    MaccaL Posts: 2  Freshman Member
    A quick update to my previous post: In fact there is one of the special characters !§$%&? etc. in the password that no longer works. However, current password policies usually enforce the password to consist of
    - lower case letters
    - upper case letters
    - numbers
    - special characters

    @Zyxel: Please improve your solution to filter the input strings! Special characters are mandatory in passwords! You can't be serious to disallow special characters.
  • To33y
    To33y Posts: 1
    The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
  • Orrby
    Orrby Posts: 5  Freshman Member
    Nas540 infected with this ransom ware, what should i do?
    I have the ransom.txt in every folder, but no files is encrypted yet? i have backup of the cruzial files but have u bunch of videos etc that i dont have backup for.
    Installed the new firmware today, i can access my files etc but wonder is the ransomware still active or whiped out with the new firmware?
    What can i do? How do i run a malware program on the nas to check?

    / Thanks
  • Mijzelf
    Mijzelf Posts: 1,975  Guru Member
    Do not assume the ransomware is gone with installing the new firmware. It's trivial to install something on the NAS which will survive reboots and firmware upgrades.
    How do i run a malware program on the nas to check?
    You can't. You can enable the ssh server, login over ssh and run 'ps' to see if there are any suspicious processes. Or you can try to find the ransomware on disk. I wrote about that here.

    Further you can try to save your files by copying them, or by switching off the NAS. In the latter case you'll have to use another Linux system to read the disks.

  • Orrby
    Orrby Posts: 5  Freshman Member
    Ok, i have now backup of everything i need so today i plan to do a full reset of the nas.
    Only thing is that it´s years ago i did any thing in this nas so i don´t remember the steps yet :) 3x 4tb wd red discs in raid 5? Any pointers?
  • Mijzelf
    Mijzelf Posts: 1,975  Guru Member
    edited March 2020
    You should 'reset' the disks, to make sure the malware can't hide there. Enable the ssh server, login over ssh as root (using your admin password). If you are using Windows you can use PuTTY for that.
    Then execute

    dd if=/dev/zero of=/dev/sda count=2048
    dd if=/dev/zero of=/dev/sdb count=2048
    dd if=/dev/zero of=/dev/sdc count=2048
    dd if=/dev/zero of=/dev/sdd count=2048

    This will overwrite the first 1MiB of all disks with zero's, wiping the partition tables. If you now do a factory reset (keep the reset button pressed until it beeped 3 times), the NAS will be as new, with empty disks. Login on the webinterface (admin/1234), and create a new volume.

  • Orrby
    Orrby Posts: 5  Freshman Member
    Thanks i will take a look at that, i do rember using putty a few years ago. 
  • Bartek
    Bartek Posts: 2  Freshman Member
    Dear Zyxel,
    You had two weeks to fix the password bug login problem in this fix, but you did it not, shame on you!
    I encourage the same problem with web GUI login yesterday, ssh login works.
    Even changing password in the ssh without special characters do not fix web GUI login issue.

  • Bartek
    Bartek Posts: 2  Freshman Member
    bugs bugs bugs!!!
    Dear Zyxel, this update has other bugs in the password:
    - you are not allowed to change password containing @# etc.
    - after changing the password and then successful changing the password in the settings that include @#, you CAN NOT login again to the gui !!!! CORRECT IT !!
  • Zyxel_Steven
    Zyxel_Steven Posts: 247  Zyxel Employee
    edited March 2020

    There is a known issue that user can modify password included special characters !  #  $  %  &  (  -  | when go to Control Panel > Users > Edit User, but user will not able to login after changed password included special characters !  #  $  %  &  (  -  |. We will fix it in next official firmware to comprehensive forbid special characters !  #  $  %  &  (  -  |.

    // Updated.
    NAS326: V5.21(AAZF.8)C0
    NAS520: V5.21(AASZ.4)C0
    NAS540: V5.21(AATB.5)C0
    NAS542: V5.21(ABAG.5)C0

    The release note is in the attachment.