Pierluigi Paganini
Zyxel resolved three RCE issues in antiquated NAS hardware
June 05, 2024
Zyxel Networks took urgent actions to fix critical vulnerabilities in old NAS products.
An immediate security update was released by Zyxel Networks to resolve three significant flaws in certain NAS units that have reached the end of their lifecycle.
By exploiting these vulnerabilities, an intruder could conduct command injection attacks and execute code remotely. Additionally, two of the vulnerabilities could enable attackers to escalate privileges.
The researcher from Outpost24, Timothy Hjort, reported the flaws to the manufacturer and posted a comprehensive analysis and Proof of Concept (PoC) exploit code for these vulnerabilities.
Here is a summary of the impacts on Zyxel NAS systems:
- CVE-2024-29972: This vulnerability involves injecting commands in the CGI program “remote_help-cgi” within Zyxel NAS326 and NAS542 devices. This flaw could allow an unauthorized attacker to execute certain Operating System (OS) commands by sending a specifically crafted HTTP POST request.
- CVE-2024-29973: This flaw involves injecting commands in the “setCookie” parameter within Zyxel NAS326 and NAS542 devices, allowing an unauthorized attacker to execute OS commands by sending a crafted HTTP POST request.
- CVE-2024-29974: This vulnerability, which facilitates remote code execution in the CGI program “file_upload-cgi” within Zyxel NAS326 and NAS542 devices, permits an unauthorized attacker to execute arbitrary code by uploading a meticulously crafted configuration file to a vulnerable device.
- CVE-2024-29975: This vulnerability involves improper privilege management in the SUID executable binary within Zyxel NAS326 and NAS542 devices. It allows an authenticated local attacker with administrator privileges to execute particular system commands as the “root” user on a compromised device.
- CVE-2024-29976: This vulnerability involves improper privilege management in the command “show_allsessions” within Zyxel NAS326 and NAS542 devices. It allows an authenticated attacker to gain access to session information of a logged-in administrator containing cookies on a susceptible device.
The firmware versions 5.21(AAZF.16)C0 and previous for NAS326, and 5.21(ABAG.13)C0 and earlier for NAS542 are affected by these vulnerabilities.
The manufacturer did not address CVE-2024-29975 and CVE-2024-29976 in their legacy products.
According to the advisory published by the company, “Despite the products being at the end of the support period for security vulnerabilities, Zyxel has issued patches for vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974 to customers still under extended support as detailed in the table below. The end-of-support for vulnerabilities for both NAS326 and NAS542 was on December 31, 2023.”
There have been no reports of attacks exploiting these vulnerabilities in the wild as per Zyxel’s knowledge.
Don’t forget to follow me on Twitter: @securityaffairs, and also on Facebook as well as Mastodon
(SecurityAffairs – hacking, RCE)
About Author
