Issues with firmware V5.21(AAZF.7) on NAS326

chris1284

Hi, 
After installing firmware V5.21(AAZF.7) on my NAS326 there are some issues:

1. password broken after reboot -> passwort reset works but the NAS dosn't accept passwords with "#" in there
2. RSYNC that uses normally the admin password is not working with the new password (and not with the old one)

is there a solution to set the rsync pw on the nas so that i can logon to the rsync service again?



#NAS_Mar_2020

mirtomi

Same issue here on NAS540, cannot access the web interface after firmware upgrade, password contains "#". Any solutions?

Bob2701

Hmm, I guess I'll wait a while.

Mijzelf

@mirtomi : read this thread.

@Bob2701: Also read that thread. The previous firmware has a vulnerability which is actively exploited.

Mel

As far as I know, to avoid the remote code execution vulnerability, the password doesn't accept special characters !  #  $  %  &  (  -  |.

Mijzelf

@Mel: Do you have a source for that? I don't see how ! - ( can trigger the bug, and am missing the ;

Tukemoni

Hi. I have same issue after update. I can't login via web interface ("The username or password is incorrect."), ssh is working normally with old password. Also file sharing working normally and I can login via Mac finder. My password also includes special character(s). If Mel is right, I could try to change password, but how to do it via ssh?

Mijzelf

how to do it via ssh?

You can try to use smbpasswd. If you have changed your password using smbpasswd, you also have to change it once again in the webinterface, to trigger storage in flash.

Tukemoni

Thanks, but I will backup and try password resetting with a button as advised.

masterflai

The "solution" provided by ZyXEL is hopefully just a workaround. After the patch I installed the provided firmware upgrade on NAS540 and NAS326 and I was able to edit the password for the admin user within the configuration menu. There was no claim regarding a '!' in the password. Enter new password, save the configuration and login again. Voila, the password will be prompted as incorrect in cause of the missing symbol. In fact, the new firmware accepts symbols by changing the user password via menu, but the login screen is protected against the vulnerability. Sorry ZyXEL, but these were the last products I bought from you.

Zyxel_Steven

To fix the remote code execution vulnerability, the latest firmware doesn't allow special characters !  #  $  %  &  (  -  | as password.

There is a known issue that user can modify password included special characters !  #  $  %  &  (  -  | when go to Control Panel > Users > Edit User, but user will not able to login after changed password included special characters !  #  $  %  &  (  -  |. We will fix it in next official firmware to comprehensive forbid special characters !  #  $  %  &  (  -  |.

If user cannot login the web interface with password included special characters !  #  $  %  &  (  -  | after firmware update is finished, please press the hardware reset button at the back of NAS for 2 seconds, and will hear one beep sound, then release the hardware reset button. This resets the NAS's IP address and password to the default setting (admin/1234).

Please note,
1. This reset will not erase all configuration of NAS device, it will only reset the password for admin and the network IP.
2. This reset will not cause any data loss or damage in your NAS device or disk.
3. If the IP of NAS device was set for manually, the IP would switch to automatically after the reset. Please access Web GUI >> Control Panel >> Network >> TCP/IP >> Network Interface to re-configure the network Settings.