Zyxel patches vulnerability in NAS devices (CVE-2023-27988) - #CVE-2023-27988
2023-05-31 _A vulnerability dubbed "NTP Textbox" has been discovered in Zyxel's NAS326, NAS540, and NAS542 devices. This authenticated code execution vulnerability (CVE-2023-27988) was found in the Linux-operated devices during the deployment of a new feature. The issue lies in the ntpdate\_agent process, which is responsible for periodically synchronizing the device's internal clock via NTP pings. The vulnerability allows an authenticated user to execute arbitrary system commands with root privileges on the device, potentially leading to remote malware injection._ _The researchers who discovered the vulnerability reached out to Zyxel on March 3rd, 2023. Zyxel acknowledged the issue and issued a security patch and CVE-2023-27988 on May 30, 2023. Users are advised to apply the patch to fix the issue. Throughout the disclosure process, Zyxel's team was responsive and cooperative, ensuring a responsible and informative disclosure._ _This vulnerability highlights the importance of proper input sanitization in preventing security issues. Firmware developers often lack the necessary tools or APIs in embedded environments, leading to vulnerabilities like this one. The deterministic security model focuses on ensuring system integrity regardless of the attack vector, using embedded integrity verification technology to protect IoT devices from potential threats. --Darien Kindlund_ [View Article](https://sternumiot.com/iot-blog/ntp-textbox-vulnerability-in-zyxel-nas326-nas540-and-nas542-devices/)