Zyxel Networks has launched an emergency security replace to deal with three crucial vulnerabilities impacting older NAS gadgets which have reached end-of-life.
The failings impression NAS326 working firmware variations 5.21(AAZF.16)C0 and earlier, and NAS542 working firmware variations 5.21(ABAG.13)C0 and older.
The networking options vendor addressed three crucial flaws, which allow attackers to carry out command injection and distant code execution. Nevertheless, two of the issues permitting privilege escalation and data disclosure weren’t fastened within the end-of-life merchandise.
Outpost24 security researcher Timothy Hjort found and reported all 5 vulnerabilities to Zyxel. At the moment, the researchers revealed an in depth write-up and proof-of-concept (PoC) exploits in coordination with Zyxel disclosure.
The disclosed flaws are listed under, with solely CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974 fastened by Zixel:
- CVE-2024-29972: Command injection flaw within the CGI program (‘remote_help-cgi’) permitting an unauthenticated attacker to ship a specially-crafted HTTP POST request to execute OS instructions utilizing a NsaRescueAngel backdoor account that has root privileges.
- CVE-2024-29973: Command injection flaw within the ‘setCookie’ parameter, permitting an attacker to ship a specially-crafted HTTP POST request to execute OS instructions.
- CVE-2024-29974: Distant code execution bug within the CGI program (‘file_upload-cgi’), permitting an unauthenticated attacker to add malicious configuration recordsdata on the machine.
- CVE-2024-29975: Improper privilege administration flaw within the SUID executable binary permitting an authenticated native attacker with admin rights to execute system instructions because the “root” person. (Not fastened)
- CVE-2024-29976: Improper privilege administration drawback within the ‘show_allsessions’ command, permitting an authenticated attacker to acquire session data, together with energetic admin cookies. (Not fastened)
Though each NAS fashions reached the tip of their help interval on December 31, 2023, Zyxel launched fixes for the three crucial flaws in variations 5.21(AAZF.17)C0 for NAS326 and 5.21(ABAG.14)C0 for NAS542.
“Because of the crucial severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches out there to clients […] regardless of the merchandise already having reached end-of-vulnerability-support,” reads a Zyxel security advisory.
Zyxel says that it has not noticed the vulnerability exploited within the wild. Nevertheless, as there at the moment are public proof-of-concept exploits, house owners ought to apply the security updates as quickly as doable.
