Zyxel Networks released an emergency security update to address critical vulnerabilities in end-of-life NAS devices.
Zyxel Networks released an emergency security update to address three critical flaws in some of its NAS devices that have reached end-of-life.
An attacker can exploit the vulnerabilities to perform command injection attacks and achieve remote code execution. Two flaws can also allow attackers to elevate privileges.
The Outpost24 researcher Timothy Hjort reported the flaw to the manufacturer and published a detailed analysis and PoC exploit codes for the flaws.
Below is the list impacting the Zyxel NAS devices:
- CVE-2024-29972: This command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
- CVE-2024-29973: This command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request.
- CVE-2024-29974: This remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.
- CVE-2024-29975: This improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device.
- CVE-2024-29976:This improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device.
The vulnerabilities affect NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older.
The vendor did not address CVE-2024-29975 and CVE-2024-29976 in its end-of-life products.
“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support.” reads the advisory published by the company. “Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023.”
Zyxel is not aware of attacks in the wild exploiting these vulnerabilities.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)