www.zyxel.

com

Zyxel

Firmware Release Note

NAS542

Release V5.21(ABAG.8)C0
www.zyxel.com

NAS542
Release V5.21(ABAG.8)C0

Release Notes
Date: May, 30, 2022

Supported Platforms:
ZyXEL NAS542

Release Package:

File name
521ABAG8C0.bin NAS542 Firmware Package for standard version
521ABAG8C0.pdf Firmware release note

Features:
Modification in V5.21(ABAG.8)C0 | May 30 2022
[Enhancement]
 Enhance Openssl patch
 Disable printer server service function
 Upgrade netatalk from 3.1.7 to 3.1.13 .

Modification in V5.21(ABAG.7)C0 | April 15 2021

[Enhancement]
 Upgrade Twonky Server to 8.5.2 .

[Bug fix]
 CVE-2020-13848 Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows
remote attackers to cause a denial of service (crash) via a crafted SSDP
message.
 Fix CVE-2020-9054. RCE of FTP login.

Modification in V5.21(ABAG.6)C0 | Jun 12 2020

[Bug fix]
 Fix NAS Remote access via backdoor. Hackersneed to know NAS
account/password(admin or root) first. Then they use it to login to NAS's web
application and open specified URL to enable Telnet feature. An unprivileged
www.zyxel.com

user account 'admin' can generate a new password for the user account
'NsaRecureAngel' via Telnet. Then, the password can be used with the user
'NsaRescureAngel' to access the device via Telnet with root privileges.

 Fix if total size (unallocated capacity + current volume size) is larger than 16 TB
(16,383 GB), Editing volume size by clicking "MAX" button will make volume size
larger than 16 TB. After applying this setting, user can not login web GUI.

Modification in V5.21(ABAG.5)C0 | Mar 20 2020

[Bug fix]
 Fix Vulnerability issue from remote unauthenticated attacker.
- CVE-2018-1160 (Netatalk)
 Fix rhostname buffer overflow issue.
- CVE-2020-8597

[Enhancement]
 Modify filtering characters of login password.
Filter 9 characters as below:
\" ' ` < > ^ $ &
 Modify filter emoji emoticons:
\u1F60-\u1F64, \u2702-\u27B0, \u1F68-\u1F6C,
\u1F30-\u1F70, \u2600-\u26ff

Modifications in V5.21(ABAG.3)C0| Feb 24 2020

[Bug fix]
 Fix Samba issue:
- CVE-2014-3560 - CVE-2015-0240 - CVE-2016-2123
- CVE-2017-7494 - CVE-2017-14746
Fix RCE(remote code execution) attack.
- CVE-2020-9054
 Change client ID and secret of YouTube upload.

[Package]
[myZyXELcloud-Agent] update certification.

Note
www.zyxel.com

If you cannot login the web interface with original password after firmware update is
finished, please press the hardware reset button at the back of NAS for 2 seconds,
and you will hear one beep sound, then release the hardware reset button. This resets
the NAS’s IP address and password to the default setting. (admin/1234)

Modification in V5.21(ABAG.3)C0| Sep 26 2019

[Enhancement]
 Enhancement the patch for networking vulnerabilities to fix:
- CVE-2019-11477 - CVE-2019-11478
- CVE-2019-11479
[Bug fix]
 Fix Time zones and DST issue for Russia.

 Fix Monthly power schedule issue.

Modification in V5.21(ABAG.2)C0| Dec 3 2018

[Bug fix]
 Fix power schedule issue.
 Fix File Browser issue.

Modification in V5.21(ABAG.1)C0| Jun 21 2018

[Bug fix]
 Fix sys log issue.
 Fix NFS problem.
 Remove "Hot swapping" related information.
 Modify the schedule time issue.
 Modify default folder setting.

Modification in V5.21(ABAG.0)C0| May 26 2017

[Enhancement]
 Enhance the API of backup planner to verify the session before
proceeding with the procedure.
 Enhance the implementation of backup planner to eliminate the risk of
command injection.
 Upgrade Twonky media server to 8.3.19
Force the admin account to modify the password from the default value.
 Now users can play media files on Twonky GUI from remote WAN, ex
dydns.
www.zyxel.com

[Bug fix]
 The file browser API accepts relative path as the arguments which causes
security problem.

[Package]
 [ownCloud] Upgrade to 7.0

Modification in V5.21 (ABAG. C0) | May 26 2017

[Enhancement]
 New GUI

 New behavior of user/group/share management.

 Upgrade Twonky Media Server to 8.2

 Remove the 2 GB upload limitation of file-browser on WebGUI.

 Twonky with HTML5 player

[Bug fix]
 Refine the mechanism to check looped folder.

 Correct the mechanism in AutoUploadr to determine if a path is a subfolder of

another path.

 The privilege of shares with any ‘ or “ in its name can’t be modified.

[Package]
 [All Package] App Center on Desktop

 [DropboxClient] Support Dropbox two way sync

 [DropboxClient] Dropbox synchronization for all sub folders.

 [DropboxClient] Fix DropboxClient can not detect remote-deleted files.

 [NZBGet,PHP,SqueezeCenter,Transmission,WordPress,Gallery,ownCloud] Rebuilt
UPnP database when NAS reset to default.

Modification in V5.11(ABAG.3)C0| Jun 17 2016

[Enhancement]
 To check and removes the incorrect looping softlink when booting up.

 To revise the implementation of GUI so that the behavior of clicking

www.zyxel.com

myZyXEcloud button on desktop won’t be blocked by web browser.

 Upgrade OpenSSL to 1.0.2h to eliminate some security issue.

 To show a warning message to remind end users that the data on the disk on
which they are going to create volume will be removed.

 To support synchronization to another device with DeltaCopy.

 Hide the httpd version information for security consideration.

 The device when server name is modified to make sure all the services apply the
correct server name.

[Bug fixed]
 Normal users fail to upload files through WebDAV.

 iSCSI fails to create instant allocation LUN.

 Fixed the ftp security issue.

 Fixed the issue that the scheduled tasks, including backup plan and power
schedule, don’t execute at the right time when daylight saving is enabled.

 Fixed the issue that the permission of portal users will be cleared if users edit the
permission in GUI

 Fixed the issue that users might fail to edit share when there exists any portal user
in the system.

[Package]
 [Tftp, NFS, ownCloud, SqueezeCenter]
 Fixed Bug: Packages are not normal when NAS reboot if users,
1. Install package in volume1.

2. Remove it.

3. Install package in other volume.

 [PHP]Rebuild php, because openssl be upgraded.

Modification in V5.11(ABAG.2)C0| Mar 8 2016

[Enhancement]
 Enhance how the GUI determine if the email address user entered is valid.

 Apply the patch of Linux kernel to fix CVE-2016-0728.

 Apply the patch of glibc to fix CVE-2015-7547

www.zyxel.com

[Bug fix]
 Fix FTP client can’t login issue

 The file browser of Web GUI fails to decompress files if there exists quota limitation
of the login user.

 Sometimes the icons on desktop are gone when login.

 Revise the log “Failed unknown login attempt (incorrect password or inexistent
username)” when the Rsync task fails to authenticate.

Modification in V5.11(ABAG.0)C0| Jan 27 2016

[Bug fix]
 Users fails to connect to the targets of iSCSI after booting if there exists more the
three targets on the device and IP of which is set as static.

 Sometimes the icons on Desktop are gone when login.

 Revise the log “Failed unknown login attempt (incorrect password or inexistent
username)”when the Rsync task fails to authenticate.

 MAC OS X 10.11 and Safari Media Icon fails to open.

 Media Server activate automatic if delete share.

 Fixed half icon with smaller monitor.

 Status Center File Transfer show wrong values

 After Restart admin must be login once for backup job from other NAS

 Users can’t access the external volume through WebDAV if they just hot plug USB
storage without entering the Web GUI.

 Correct the address in the link in the Webpage that helps users to link to the
device after firmware upgrading.

 The file browser of Web GUI fails to decompress files if there exists quota limitation
of the logined user.

 Only “global”, “homes”, “printers” are reserved share name.

 Deleting a share always turn on the media server even when it’s been turned off.

 Time zone spelling correction. (Pitori” to “Pretoria”)

 The Music/Video/Photo icon in the desktop-style page doesn’t work on Safari.

 The icon for portal users is created.

www.zyxel.com

 The login time displayed in the session information is negative in German.

 Show the IPv6 information when it’s from AUTO-IP, which means there’s no IPv6
DHCP in the environment.

 The icons on the desktop page can’t be displayed correctly after dragging.

[Enhancement]
 Enhance how the GUI determine if the email address user entered is valid.

 Hide the group item in the session table. It’s meaningless.

 Refine the algorithm of password strength determination. The password of 14

consecutive ‘A’ is determined as strong password, which is wrong.

 Adjust the local port range to avoid port conflicts between services.

 Let the Twonky GUI sort the files by track number in folder view.
 Adjust some parameters in system to tune up the performance.
 User searching supports cloud users.

 Hide the cloud users in the pages of setting group, share permission.

 Updated some missing translations.

 Fine tune some GUI behavior according to the response from customers.

 Add pkg upgrade alert in desktop.

 Remove the behavior of adding xxx.0.0.0 into routing table for interfaces which
are NOT default gateway. It's wrong to add such item into routing table.

Enhancement in V5.10(ABAG.2)C0 | Dec 30 2015

[Enhancement]Fixed that can’t be discovered by Mac

Enhancement in V5.10(ABAG.1)C0 | Dec 22 2015

[Enhancement]
 Protect over 16TB single volume mechanism

 This version support ZyXEL Drive app and some myZyXELcloud function, but if
you had created single volume over 16TB, it could not upgrade to
V5.10(ABAG.1)C0. Once you upgrade this version will be fail, pls reboot your
NAS.

 How to upgrade V5.10(ABAG.1)C0.

Step1: Pls backup your file
www.zyxel.com

Step2: Start a new under 16TB single volume.

Step3: FW upgrade V5.10(ABAG.1)C0

Enhancement in V5.10(ABAG.0)C0 | Nov 23 2015

[Enhancement]
 Support FindMe feature

 Support iSCSI feature

 New GUI implementation : Control Panel
 TCP/IP

 External storage management

 Terminal

 UPnP management

 DyDNS

 Firmware upgrade
 Support ZyXEL Drive app

 Add alarm items : FAN fail / power on / off, system ready, HDD degrade / over
heat

 Add Widget option

 Add Package URL icon when you install on desktop

 Add Video and Knowledge Base

 Modify some language description

[myZyXELcloud]:
 Monitor NAS Healthy status

Enhancement in V5.04(ABAG.0)C0 | 05/14/2015

[Enhancement]
 Fully Support 6TB HDD via JBOD and RAID5

 Stable UPnP Router Detection

 Expand a larger HDD capacity=> over 10TB

 New FTP site introduce some sites that have a slow F/W and Package issues.

 Improve package download throughput

 The consistent frequency for each HDD

www.zyxel.com

 Improve LED standby behavior

 Fixed some security issue

 Perl high CPU issue

 Video buffer enhancement

 NAS542 can’t be discovered by Mac if the IPv6 is on and there’s any interface
not connected.

Enhancement in V5.03(ABAG.0)C0 | Mar 03 2015

[Enhancement]
RAID5 WRITE performance improvement over 60% (v.s. v5.01).
WebDAV READ/WRITE performance improvement

Adding SSH.

Changing LED flash frequency.

Remind user to change password if they still use factory default password.

Fix the security hole of ghost vulnerability CVE-2015-0235.

Support the latest version of iTunes 12.1.1

The default language setting follows the language setting of browser.

Some missing translations in multi-language are updated.

Use Win8.1 client to unpack files with WinRar on NAS542 cause damaged file

Fix Pyload package is unusable

Add new samba patch to avoid CVE-2015-0240 samba security issue

Dutch language beta

Enhancement in V5.00(ABAG.0)C0 | Nov 04 2014

[Initial Version]