CVE-2020-13365

Name of the Vulnerable Software and Affected Versions Zyxel NAS520 versions V5.11(AASZ.0)C0 through V5.21(AASZ.4)C0 Zyxel NAS542 versions V5.11(ABAG.0)C0 through V5.21(ABAG.3)C0 Zyxel NSA325 versions V4.81(AAAJ.1)C0 and V4.81(AALS.0)C0 Zyxel NSA310 versions 4.22(AFK.0)C0 and 4.22(AFK.1)C0 Zyxel NAS326 versions V5.11(AAZF.2)C0 through V5.21(AAZF.8)C0 Zyxel NSA310S version V4.75(AALH.2)C0 Zyxel NSA320S versions V4.75(AANV.1)C0 and V4.75(AANV.2)C0 Zyxel NSA221 version V4.41(AFM.1)C0 Zyxel NAS540 versions V5.21(AATB.3)C0 and V5.21(AATB.5)C0

Description A locally accessible binary in certain Zyxel products allows a non-root user to generate a password for an undocumented user account, which can be used for a TELNET session as root.

Recommendations For NAS520 versions V5.11(AASZ.0)C0 through V5.21(AASZ.4)C0, consider disabling the TELNET service until a patch is available. For NAS542 versions V5.11(ABAG.0)C0 through V5.21(ABAG.3)C0, restrict access to the undocumented user account. For NSA325 versions V4.81(AAAJ.1)C0 and V4.81(AALS.0)C0, avoid using the locally accessible binary. For NSA310 versions 4.22(AFK.0)C0 and 4.22(AFK.1)C0, limit access to the system. For NAS326 versions V5.11(AAZF.2)C0 through V5.21(AAZF.8)C0, consider disabling the vulnerable binary. For NSA310S version V4.75(AALH.2)C0, restrict access to the system. For NSA320S versions V4.75(AANV.1)C0 and V4.75(AANV.2)C0, avoid using the TELNET service. For NSA221 version V4.41(AFM.1)C0, limit access to the system. For NAS540 versions V5.21(AATB.3)C0 and V5.21(AATB.5)C0, consider disabling the vulnerable binary. At the moment, there is no information about a newer version that contains a fix for this vulnerability.