What are the critical vulnerabilities identified?

The critical vulnerabilities are: CVE-2024-29972 (command injection flaw in 'remote_help-cgi'), CVE-2024-29973 (command injection flaw in 'setCookie' parameter), and CVE-2024-29974 (remote code execution bug in 'file_upload-cgi'). Each has a CVSS score of 9.8.

How do these vulnerabilities affect the NAS devices?

These vulnerabilities enable attackers to perform command injection and remote code execution. They allow unauthenticated attackers to execute OS commands and upload malicious files with root privileges.

Which firmware versions have fixed these vulnerabilities?

The vulnerabilities have been fixed in firmware versions 5.21(AAZF.17)C0 for NAS326 and 5.21(ABAG.14)C0 for NAS542.

Were there other flaws identified that were not fixed?

Yes, two other flaws were identified but not fixed due to the end-of-life status of the products and their lower severity: CVE-2024-29975 (improper privilege management flaw) and CVE-2024-29976 (improper privilege management problem in 'show_allsessions').

Are these vulnerabilities currently being exploited in the wild?

Although Zyxel has not observed these vulnerabilities being exploited in the wild, users should be cautious of quick attacks as a public PoC exploit is available for hackers to learn from.

Advisory

Zyxel releases emergency critical patch for end-of-life NAS326 and NAS542 devices

Q: Which devices are impacted by these vulnerabilities?

The vulnerabilities impact NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older.

published: June 4, 2024

Take action: If you are using NAS326 and NAS542 devices, make sure they can't be accessed from the internet. The patch ASAP, because even if isolated a hacker will eventually find them.

Learn More

Zyxel Networks has released an urgent security update addressing three critical vulnerabilities in older NAS devices that have reached their end-of-life. The flaws impact NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older.

These vulnerabilities enable attackers to perform command injection and remote code execution:

CVE-2024-29972 (CVSS score 9.8): A command injection flaw in the CGI program ('remote_help-cgi') that allows an unauthenticated attacker to execute OS commands using a NsaRescueAngel backdoor account with root privileges.
CVE-2024-29973 (CVSS score 9.8): A command injection flaw in the 'setCookie' parameter, permitting an attacker to execute OS commands via a specially-crafted HTTP POST request.
CVE-2024-29974 (CVSS score 9.8): A remote code execution bug in the CGI program ('file_upload-cgi'), allowing an unauthenticated attacker to upload malicious configuration files to the device.

These vulnerabilities have been fixed in the latest firmware versions 5.21(AAZF.17)C0 for NAS326 and 5.21(ABAG.14)C0 for NAS542.

Two other flaws were not fixed due to the end-of-life status of the products and the lower seveirty.:

CVE-2024-29975 (CVSS score 6.7): An improper privilege management flaw in the SUID executable binary that allows an authenticated local attacker with admin rights to execute system commands as the "root" user.
CVE-2024-29976 (CVSS score 6.8): An improper privilege management problem in the 'show_allsessions' command, allowing an authenticated attacker to obtain session information, including active admin cookies.

Outpost24 security researcher Timothy Hjort discovered and reported all five vulnerabilities. Detailed write-ups and proof-of-concept (PoC) exploits are published in coordination with Zyxel's disclosure.

Although Zyxel has not observed these vulnerabilities being exploited in the wild, users should be worried of quick attacks becayse a public PoC exploit is available for hackers to learn from.

Zyxel releases emergency critical patch for end-of-life NAS326 and NAS542 devices

Read More
Unpatched command Injection flaw reported in Trendnet TEW-713RE …
Veeam reports critical flaw in Service Provider Console
IBM Patches critical flaw in Administration Runtime Expert …
VMware and Mandiant warn of vCenter Server flaw …
Check Point warns that hackers target local VPN …