Zyxel patches critical flaws in EOL NAS devices
Zyxel has released patches for three critical vulnerabilities (CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974) affecting two network-attached storage (NAS) devices that have recently reached end-of-vulnerability-support.
About the vulnerabilities
The three vulnerabilities are:
- A command injection vulnerability in the CGI program that could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request (CVE-2024-29972)
- A command injection vulnerability in the “setCookie” parameter that could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request (CVE-2024-29973)
- A remote code execution vulnerability in the CGI program “file_upload-cgi” that could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device (CVE-2024-29974)
The vulnerabilities have been discovered and reported by Timothy Hjort, a vulnerability researcher with Outpost24’s Ghost Labs.
Hjort also found a backdoor account used for remote support (that was supposedly removed four years ago) and two other flaws that can be exploited by attackers who have already achieved access to a vulnerable device to elevate their privileges:
- CVE-2024-29975 may allow an authenticated attacker with admin privileges to execute some system commands as “root”
- CVE-2024-29976 – an information disclosure flaw – may allow an authenticated attacker to obtain session tokens for all authenticated users, including administrators.
In his technical write-up about the vulnerabilites, he also included proof of concept exploit code.
Patches for some of the flaws are available
The vulnerabilities affect Zyxel NAS models NAS326, running v5.21(AAZF.16)C0 and earlier, and NAS542, running v5.21(ABAG.13)C0 and earlier.
“Zyxel has treated the disclosure process fairly, agreeing to a coordinated disclosure,” Hjort noted.
“Despite the fact that the device has reached End-of-Life by the end of last year, they still released patches for the three critical vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974. Furthermore, as the device has reached End-of-Life, they decided to remove the ‘Remote Support’ account ‘NsaRescueAngel’.”
Users of the EOL devices are advised to upgrade to v5.21(AAZF.17)C0 and v5.21(ABAG.14)C0, respectively.
Zyxel did not mention whether any of the flaws are being exploited, but with all this information now public, it’s likely just a matter of time until vulnerable devices get conscripted into a botnet or hit with ransomware.
UPDATE (June 25, 2024, 2:20 a.m. ET):
The Shadownserver Foundation has detected CVE-2024-29973 exploitation attempts by a Mirai-like botnet in their sensors.