Zyxel Networks has launched an emergency safety replace to handle three essential vulnerabilities impacting older NAS units which have reached end-of-life.
The failings influence NAS326 operating firmware variations 5.21(AAZF.16)C0 and earlier, and NAS542 operating firmware variations 5.21(ABAG.13)C0 and older.
The networking options vendor addressed three essential flaws, which allow attackers to carry out command injection and distant code execution. Nonetheless, two of the issues permitting privilege escalation and data disclosure weren’t mounted within the end-of-life merchandise.
Outpost24 safety researcher Timothy Hjort found and reported all 5 vulnerabilities to Zyxel. In the present day, the researchers revealed an in depth write-up and proof-of-concept (PoC) exploits in coordination with Zyxel disclosure.
The disclosed flaws are listed beneath, with solely CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974 mounted by Zixel:
- CVE-2024-29972: Command injection flaw within the CGI program (‘remote_help-cgi’) permitting an unauthenticated attacker to ship a specially-crafted HTTP POST request to execute OS instructions utilizing a NsaRescueAngel backdoor account that has root privileges.
- CVE-2024-29973: Command injection flaw within the ‘setCookie’ parameter, permitting an attacker to ship a specially-crafted HTTP POST request to execute OS instructions.
- CVE-2024-29974: Distant code execution bug within the CGI program (‘file_upload-cgi’), permitting an unauthenticated attacker to add malicious configuration information on the system.
- CVE-2024-29975: Improper privilege administration flaw within the SUID executable binary permitting an authenticated native attacker with admin rights to execute system instructions because the “root” person. (Not mounted)
- CVE-2024-29976: Improper privilege administration downside within the ‘show_allsessions’ command, permitting an authenticated attacker to acquire session info, together with lively admin cookies. (Not mounted)
Though each NAS fashions reached the top of their help interval on December 31, 2023, Zyxel launched fixes for the three essential flaws in variations 5.21(AAZF.17)C0 for NAS326 and 5.21(ABAG.14)C0 for NAS542.
“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers […] despite the products already having reached end-of-vulnerability-support,” reads a Zyxel safety advisory.
Zyxel says that it has not noticed the vulnerability exploited within the wild. Nonetheless, as there are actually public proof-of-concept exploits, house owners ought to apply the safety updates as quickly as doable.