SMB Edge Devices Face Security Challenges with Asus and Zyxel Patch Warnings

June 21, 2023

Small and midsize businesses (SMBs) face significant security challenges as Asus and Zyxel announce critical security vulnerabilities requiring patches, and Western Digital disconnects unpatched devices from the cloud. Asus released firmware on June 19 to fix nine separate vulnerabilities in some of its router models, including one that could enable a cyberattacker to execute code. The most severe flaws include a critical memory corruption vulnerability in Asus router firmware, identified as CVE-2022-26376, and another dating back to 2018, which could allow a threat actor to "achieve arbitrary code execution," according to NIST, tracked as CVE-2018-1160.

On the same day, Western Digital announced that it had blocked devices running unpatched firmware from its cloud since June 15. A serious vulnerability affecting Western Digital's MyCloud Home and other cloud storage devices could lead to remote code execution, as reported by NIST. The bug, identified as CVE-2022-36327, received a CVSS vulnerability-severity score of 9.8 out of 10, yet the flaw was publicly known for a full month before affected devices were blocked from accessing the Western Digital cloud.

Zyxel also released patches this week to address code-injection vulnerabilities in three versions of its network-attached storage devices. The firmware command injection vulnerability, tracked as CVE-2023-27992, could allow an unauthenticated user to execute operating system commands. The abundance of edge-device patch warnings this week highlights the increasing risk SMBs face due to the growing number of edge devices connected to their networks. Experts estimate that there are over 12 billion active Internet of Things (IoT) and edge devices worldwide, a number expected to reach 27 billion by 2025.

Many SMBs lack basic cybersecurity hygiene and monitoring. Edge devices can initially appear to be an economical choice for building out SMB infrastructure, but they are much more difficult to secure, explains Melissa Bischoping, director of endpoint security research at Tanium. She says, "For small businesses, using small-office-home-office (SOHO) routers and devices is often a cost-effective solution, but the lack of monitoring and centralized management in many of these devices can result in vulnerabilities and insecure configurations that provide easy access to an adversary."

Threat actors are capitalizing on this vulnerability. Bischoping explains, "Edge infrastructure is an incredibly attractive target for attackers because it generally lacks the depth of monitoring and visibility that endpoints have, and is always public facing by design, removing an initial hurdle for access." Many edge devices are built with open source components, making them even more susceptible to attacks, says John Gallagher, vice president of Viakoo Labs. Gallagher states, "Edge devices like routers, NAS drives, IP cameras, and other IoT/OT systems are the fastest growing part of an organization’s attack surface due to their use of open source software components and often being unmanaged and unmonitored." He adds that traditional IT security solutions that are agent-based don't work for IoT/OT devices, which require agentless solutions.

To secure SMB edge devices, Gallagher recommends starting with a complete inventory of devices using an agentless asset discovery solution. Once cybersecurity teams have visibility into what needs to be defended, that information can be used to direct resources effectively, says Bischoping. She suggests prioritizing visibility of edge assets and using that information to address patching, credential management, and configuration hardening as part of ongoing security hygiene and controls. Other quick wins include rotating default login credentials on devices, employing secure authentication mechanisms, and enforcing least-privilege access for any accounts that may log in to those devices. Gallagher also recommends an automated approach for handling firmware and password updates at the scale required for IoT and edge devices.

SMBs should consider whether devices need to be connected to the Internet or if they would be better suited for a more secure internal network connection, advises Matthew Morin, senior director of product management with NetRise. He suggests that in the case of many vulnerabilities announced by Asus, Zyxel, and Western Digital, ensuring the affected devices were only accessible via internal networks would have dramatically reduced the impact of the vulnerabilities. Morin also recommends that SMBs regularly review what is publicly disclosed from their networks and ensure that devices have clear ownership and tracking of their lifecycle management. More mature organizations can incorporate software bills of materials (SBOMs) for added visibility, he adds.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.