Summary:
Zyxel Networks has released an emergency security update to address critical vulnerabilities in its end-of-life NAS devices, specifically NAS326 and NAS542 models. These vulnerabilities, identified as CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, allow attackers to perform command injection and remote code execution. CVE-2024-29972 is a command injection flaw in the CGI program “remote_help-cgi,” which enables unauthenticated attackers to execute operating system commands by sending a crafted HTTP POST request. Similarly, CVE-2024-29973 is another command injection vulnerability in the “setCookie” parameter, which also allows unauthenticated attackers to execute OS commands through a crafted HTTP POST request. CVE-2024-29974 is a remote code execution vulnerability in the CGI program “file_upload-cgi,” allowing attackers to execute arbitrary code by uploading a crafted configuration file to the vulnerable devices.

Additionally, two more vulnerabilities, CVE-2024-29975 and CVE-2024-29976, involve improper privilege management but were not addressed in this update. CVE-2024-29975 allows an authenticated local attacker with administrator privileges to execute system commands as the “root” user via a flaw in the SUID executable binary. CVE-2024-29976 allows an authenticated attacker to obtain session information, including cookies, from a logged-in administrator through the command “show_allsessions.” These issues affect NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older.


Security Officer Comments:
Outpost24 researcher Timothy Hjort reported these vulnerabilities and provided detailed analysis and proof-of-concept exploit codes. Despite these products reaching end-of-vulnerability-support on December 31, 2023, Zyxel provided patches for the critical vulnerabilities due to their severity. Zyxel has stated that they are not aware of any active exploitation of these vulnerabilities in the wild.

Suggested Corrections:
Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support

Link(s):
https://securityaffairs.com/164150/security/zyxel-rce-eof-nas-devices.html

https://www.zyxel.com/global/en/sup...le-vulnerabilities-in-nas-products-06-04-2024