Zyxel has launched security updates to deal with vital flaws impacting two of its network-attached storage (NAS) units which have at the moment reached end-of-life (EoL) standing.
Profitable exploitation of three of the 5 vulnerabilities might allow an unauthenticated attacker to execute working system (OS) instructions and arbitrary code on affected installations.
Impacted fashions embody NAS326 operating variations V5.21(AAZF.16)C0 and earlier, and NAS542 operating variations V5.21(ABAG.13)C0 and earlier. The shortcomings have been resolved in variations V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0, respectively.
A short description of the issues is as follows –
- CVE-2024-29972 – A command injection vulnerability within the CGI program “remote_help-cgi” that might enable an unauthenticated attacker to execute some working system (OS) instructions by sending a crafted HTTP POST request
- CVE-2024-29973 – A command injection vulnerability within the ‘setCookie’ parameter that might enable an unauthenticated attacker to execute some OS instructions by sending a crafted HTTP POST request
- CVE-2024-29974 – A distant code execution vulnerability within the CGI program ‘file_upload-cgi’ that might enable an unauthenticated attacker to execute arbitrary code by importing a crafted configuration file
- CVE-2024-29975 – An improper privilege administration vulnerability within the SUID executable binary that might enable an authenticated native attacker with administrator privileges to execute some system instructions because the ‘root’ person
- CVE-2024-29976 – An improper privilege administration vulnerability within the command ‘show_allsessions’ that might enable an authenticated attacker to acquire a logged-in administrator’s session info containing cookies on an affected system
Outpost24 security researcher Timothy Hjort has been credited with discovering and reporting the 5 flaws. It is price noting that the 2 of the privilege escalation flaws that require authentication stay unpatched.
Whereas there isn’t any proof that the problems have been exploited within the wild, customers are beneficial to replace to the most recent model for optimum safety.
