Zyxel has released security updates to address critical flaws impacting two of its network-attached storage (NAS) devices that have currently reached end-of-life (EoL) status.
Successful exploitation of three of the five vulnerabilities could permit an unauthenticated attacker to execute operating system (OS) commands and arbitrary code on affected installations.
Impacted models include NAS326 running versions V5.21(AAZF.16)C0 and earlier, and NAS542 running versions V5.21(ABAG.13)C0 and earlier. The shortcomings have been resolved in versions V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0, respectively.
A brief description of the flaws is as follows -
- CVE-2024-29972 - A command injection vulnerability in the CGI program "remote_help-cgi" that could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request
- CVE-2024-29973 - A command injection vulnerability in the 'setCookie' parameter that could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request
- CVE-2024-29974 - A remote code execution vulnerability in the CGI program 'file_upload-cgi' that could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file
- CVE-2024-29975 - An improper privilege management vulnerability in the SUID executable binary that could allow an authenticated local attacker with administrator privileges to execute some system commands as the 'root' user
- CVE-2024-29976 - An improper privilege management vulnerability in the command 'show_allsessions' that could allow an authenticated attacker to obtain a logged-in administrator's session information containing cookies on an affected device
Outpost24 security researcher Timothy Hjort has been credited with discovering and reporting the five flaws. It's worth noting that the two of the privilege escalation flaws that require authentication remain unpatched.
While there is no evidence that the issues have been exploited in the wild, users are recommended to update to the latest version for optimal protection.
Update
The Shadowserver Foundation, on June 21, 2024, said it's seeing exploitation attempts targeting CVE-2024-29973 to deliver a Mirai-like botnet, making it essential that users take steps to either apply the patch or upgrade to a supported device to mitigate threats.