High

Analysis Summary

Zyxel has issued critical security updates for two of its network-attached storage (NAS) devices NAS326 and NAS542 which have reached end-of-life status. These updates address five vulnerabilities, three of which are particularly severe, allowing unauthenticated attackers to execute operating system commands and arbitrary code.

The vulnerabilities have been resolved in firmware versions V5.21(AAZF.17)C0 for NAS326 and V5.21(ABAG.14)C0 for NAS542, improving the security of these devices. The first three vulnerabilities are the most critical. CVE-2024-29972 is a command injection vulnerability in the CGI program "remote_help-cgi," allowing attackers to execute OS commands via crafted HTTP POST requests.

CVE-2024-29973 is another command injection flaw in the 'setCookie' parameter, similarly permitting OS command execution through crafted HTTP POST requests. CVE-2024-29974 is a remote code execution vulnerability in the CGI program 'file_upload-cgi,' enabling attackers to execute arbitrary code by uploading a malicious configuration file. These flaws are particularly dangerous because they do not require authentication, making them easily exploitable by remote attackers.

Two additional vulnerabilities, CVE-2024-29975 and CVE-2024-29976 involve improper privilege management. CVE-2024-29975 allows an authenticated local attacker with administrator privileges to execute system commands as the 'root' user via a SUID executable binary. CVE-2024-29976 enables an authenticated attacker to obtain logged-in administrator session information including cookies through the 'show_allsessions' command. Notably, these two privilege escalation vulnerabilities remain unpatched posing a continued risk for authenticated local attacks.

Researchers discovered and reported these vulnerabilities. Although there is currently no evidence of these issues being exploited in the wild, users are strongly advised to update their NAS devices to the latest firmware versions to mitigate potential threats. By applying these updates users can protect their devices from unauthorized command execution and code injection attacks, enhancing the overall security of their network storage solutions.

Impact

• Sensitive Data Theft
• Remote Code Execution
• Unauthorized Access
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2024-29972
• CVE-2024-29973
• CVE-2024-29974
• CVE-2024-29975
• CVE-2024-29976

Affected Vendors

Remediation

• Refer to the Zyxel Security Advisory for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerabilities mentioned above and apply the available security patches or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.