Zyxel Networks has released an emergency security update to address three critical vulnerabilities impacting older NAS devices that have reached end-of-life.
The flaws impact NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older.
The networking solutions vendor addressed three critical flaws, which enable attackers to perform command injection and remote code execution. However, two of the flaws allowing privilege escalation and information disclosure were not fixed in the end-of-life products.
Outpost24 security researcher Timothy Hjort discovered and reported all five vulnerabilities to Zyxel. Today, the researchers published a detailed write-up and proof-of-concept (PoC) exploits in coordination with Zyxel disclosure.
The disclosed flaws are listed below, with only CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974 fixed by Zixel:
- CVE-2024-29972: Command injection flaw in the CGI program (‘remote_help-cgi’) allowing an unauthenticated attacker to send a specially-crafted HTTP POST request to execute OS commands using a NsaRescueAngel backdoor account that has root privileges.
- CVE-2024-29973: Command injection flaw in the ‘setCookie’ parameter, allowing an attacker to send a specially-crafted HTTP POST request to execute OS commands.
- CVE-2024-29974: Remote code execution bug in the CGI program (‘file_upload-cgi’), allowing an unauthenticated attacker to upload malicious configuration files on the device.
- CVE-2024-29975: Improper privilege management flaw in the SUID executable binary allowing an authenticated local attacker with admin rights to execute system commands as the “root” user. (Not fixed)
- CVE-2024-29976: Improper privilege management problem in the ‘show_allsessions’ command, allowing an authenticated attacker to obtain session information, including active admin cookies. (Not fixed)
Although both NAS models reached the end of their support period on December 31, 2023, Zyxel released fixes for the three critical flaws in versions 5.21(AAZF.17)C0 for NAS326 and 5.21(ABAG.14)C0 for NAS542.
“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers […] despite the products already having reached end-of-vulnerability-support,” reads a Zyxel security advisory.
Zyxel says that it has not observed the vulnerability exploited in the wild. However, as there are now public proof-of-concept exploits, owners should apply the security updates as soon as possible.
