Zyxel Networks has launched an emergency safety replace to deal with three crucial vulnerabilities impacting older NAS units which have reached end-of-life.
The issues affect NAS326 operating firmware variations 5.21(AAZF.16)C0 and earlier, and NAS542 operating firmware variations 5.21(ABAG.13)C0 and older.
The networking options vendor addressed three crucial flaws, which allow attackers to carry out command injection and distant code execution. Nonetheless, two of the issues permitting privilege escalation and knowledge disclosure weren’t fastened within the end-of-life merchandise.
Outpost24 safety researcher Timothy Hjort found and reported all 5 vulnerabilities to Zyxel. At present, the researchers revealed an in depth write-up and proof-of-concept (PoC) exploits in coordination with Zyxel disclosure.
The disclosed flaws are listed under, with solely CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974 fastened by Zixel:
- CVE-2024-29972: Command injection flaw within the CGI program (‘remote_help-cgi’) permitting an unauthenticated attacker to ship a specially-crafted HTTP POST request to execute OS instructions utilizing a NsaRescueAngel backdoor account that has root privileges.
- CVE-2024-29973: Command injection flaw within the ‘setCookie’ parameter, permitting an attacker to ship a specially-crafted HTTP POST request to execute OS instructions.
- CVE-2024-29974: Distant code execution bug within the CGI program (‘file_upload-cgi’), permitting an unauthenticated attacker to add malicious configuration recordsdata on the machine.
- CVE-2024-29975: Improper privilege administration flaw within the SUID executable binary permitting an authenticated native attacker with admin rights to execute system instructions because the “root” person. (Not fastened)
- CVE-2024-29976: Improper privilege administration drawback within the ‘show_allsessions’ command, permitting an authenticated attacker to acquire session data, together with lively admin cookies. (Not fastened)
Though each NAS fashions reached the tip of their assist interval on December 31, 2023, Zyxel launched fixes for the three crucial flaws in variations 5.21(AAZF.17)C0 for NAS326 and 5.21(ABAG.14)C0 for NAS542.
“Because of the crucial severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches obtainable to prospects […] regardless of the merchandise already having reached end-of-vulnerability-support,” reads a Zyxel safety advisory.
Zyxel says that it has not noticed the vulnerability exploited within the wild. Nonetheless, as there are actually public proof-of-concept exploits, house owners ought to apply the safety updates as quickly as attainable.
