Zyxel has issued critical security updates to address significant vulnerabilities affecting two of its end-of-life network-attached storage (NAS) devices. These flaws could allow unauthenticated attackers to execute operating system commands and arbitrary code on compromised systems. The affected models include the NAS326, which is running versions V5.21(AAZF.16)C0 and earlier, and the NAS542 with versions V5.21(ABAG.13)C0 and earlier. The vulnerabilities have been patched in the newer versions V5.21(AAZF.17)C0 for the NAS326 and V5.21(ABAG.14)C0 for the NAS542.
The vulnerabilities that have been identified include three critical flaws leading to potential command injection and remote code execution. Specifically, CVE-2024-29972 relates to a command injection vulnerability within the CGI program “remote_help-cgi,” which poses a risk when attackers send specially crafted HTTP POST requests. Another identified issue, CVE-2024-29973, similarly allows command injection through the ‘setCookie’ parameter, while CVE-2024-29974 enables remote code execution via the ‘file_upload-cgi’ program through crafted configuration file uploads. Furthermore, CVE-2024-29975 and CVE-2024-29976 involve improper privilege management vulnerabilities that could let authenticated attackers execute system commands and obtain sensitive session information respectively.
Timothy Hjort, a security researcher affiliated with Outpost24, has been credited with discovering these vulnerabilities. It’s noteworthy that two privilege escalation flaws that require user authentication remain unaddressed in the patches released. Although there is currently no evidence that these vulnerabilities have been exploited in the wild, the nature of these flaws necessitates immediate attention.
The Shadowserver Foundation has reported recent exploitation attempts related to CVE-2024-29973, aimed at facilitating a Mirai-like botnet. This development underscores the urgency for users to either apply the provided patches or upgrade to a supported device to avert emerging threats.
In terms of potential attack methodologies, the MITRE ATT&CK framework can provide a reference for understanding the tactics that might have been utilized. The vulnerabilities suggest that initial access methods, alongside techniques for privilege escalation and command execution, align with common adversarial tactics focused on exploiting known software weaknesses. Business owners should view these vulnerabilities as a critical reminder to regularly update device firmware and maintain proactive cybersecurity measures. As newer threats evolve, vigilance is paramount in safeguarding sensitive information and operational integrity.
In conclusion, organizations utilizing Zyxel NAS devices must act swiftly to address these vulnerabilities. Continued monitoring and adherence to security best practices are essential in navigating the increasingly complex landscape of cybersecurity threats.
