On November 30, 2023 Zyxel a leading provider of networking solutions, issued a public advisory addressing a series of identified vulnerabilities within the NAS326 and NAS542 model devices. These vulnerabilities specifically impacted devices utilizing firmware version V5.21(AAZF.14)C0 or any earlier iterations and V5.21(ABAG.11)C0 or any earlier iterations.
These vulnerabilities included the following:
- CVE-2023-35137 - Authentication vulnerability that enables an attacker get system information by sending crafted URL.
- CVE-2023-35138 - Command injection vulnerability that gives an attacker access to run OS commands by sending crafted HTTP request.
- CVE-2023-37927 - Improper neutralization of special characters in the CGI that enables an attacker get system information by sending crafted URL.
- CVE-2023-37928 - Command injection vulnerability in the WSGI server that gives an attacker access to run OS commands by sending crafted URL.
- CVE-2023-4473 - Command injection vulnerability that gives an attacker access to run OS commands by sending crafted URL
- CVE-2023-4474 - Improper neutralization of special characters in the WSGI server that gives an attacker access to run OS commands by sending crafted URL.
In this blog, we are interested in CVE-2023-4473.
The IBM X-Force team reported this vulnerability while investigating CVE-2023-27992. In fact, the CVE-2023-4473 vulnerability seemed to be a way for attackers to evade the CVE-2023-27992 that had been reported. As of today, Zyxel has released a patch for this vulnerability.
Lets talk about CVE-2023-4473
This vulnerability conveniently allows a remote attacker to bypass authorization verification by sending URLs with specific paths. The vulnerability causes the web server to skip verifying authentication for some URLs that have specific paths. This in turn lets the remote attacker execute arbitrary commands on the system through the same command injection flaw as CVE-2023-27992.
IBM QRadar can be configured to enable detection of this vulnerability. This can serve as a mitigation if you can detect the attack before the attacker successfully executes any system commands.
The primary observation to note is that while IBM QRadar has various DSMs that help with mapping of events, the Zyxel device lacks the capability to expose the required log via its syslog functionality. While this might seem like a limitation at first, two workarounds I would expatiate on in this blog are:
- Detection by monitoring flows
- Creating a custom DSM to parse your events
IBM QRadar SIEM allows you to create a custom parser to get your events into QRadar. After creating your custom DSM, you should install anyone of the following custom property packs to get the URL Query string and Method CEPs :
Both the URL Query string CEP and Method CEP are disabled by default so remember to enable them for use in your rule. Here is an event rule that you can adopt.
|
Apply CVE-2023-4473 - Authentication Bypass on events which are detected by the Local system
and when the event(s) were detected by one or more of Zyxel Custom DSM
and when the event category for the event is one of the following Application.HTTP Opened, Application.Request Successful, Application.Request In Progress
and when the event matches Method (custom) is any of POST
and when the event matches URL Query String (custom) is not N/A
and when the event matches LOWER("URL Query String") LIKE '%/favicon.ico%' AQL filter query
|
Custom Property URL Query string
Custom Property Method
Event Parsing
Here is a flow rule that you can adopt.
Apply CVE-2023-4473 - Authentication Bypass (Flows) on events which are detected by the Local system
and when the flow matches HTTP Method is any of POST
and when the flow matches LOWER("request url") LIKE '%/favicon.ico%' AQL filter query
|
In conclusion, I hope these rules keep you protected. Zyxel has released patches for this vulnerability, I would advise installing them.