Update your network storage as soon as possible – the exploits are already in the hands of hackers.
Zyxel has released an emergency security update to address three critical vulnerabilities in older NAS models that have already expired.
The vulnerabilities affect NAS326 models with firmware version 5.21 (AAZF.16)C0 and earlier, as well as NAS542 models with firmware version 5.21 (ABAG. 13) C0 and older.
These vulnerabilities allow attackers to perform command injection and remote code execution. However, two other vulnerabilities related to privilege escalation and information disclosure were not fixed in these devices. Who knows, maybe the company will fix these problems later.
Timothy Hjort, a security researcher at Outpost24, discovered and reported all five vulnerabilities in Zyxel. Yesterday, on the fourth of June, Hjort published a detailed report and demonstration of the work of PoC exploits in coordination with Zyxel.
Vulnerabilities that have been patched include:
The following vulnerabilities have not been fixed:
Although support for these NAS models ended on December 31, 2023, Zyxel released fixes for three critical vulnerabilities in versions 5.21 (AAZF.17) C0 for NAS326 and 5.21(ABAG. 14) C0 for NAS542. This makes the company stand out from its competitors, who often refuse to release fixes for hardware that is out of the support cycle.
Representatives of Zyxel report that at the moment there are no cases of exploiting vulnerabilities in real conditions. However, given the availability of public proof-of-concept exploits, device owners are advised to apply security updates as soon as possible.
Zyxel has released an emergency security update to address three critical vulnerabilities in older NAS models that have already expired.
The vulnerabilities affect NAS326 models with firmware version 5.21 (AAZF.16)C0 and earlier, as well as NAS542 models with firmware version 5.21 (ABAG. 13) C0 and older.
These vulnerabilities allow attackers to perform command injection and remote code execution. However, two other vulnerabilities related to privilege escalation and information disclosure were not fixed in these devices. Who knows, maybe the company will fix these problems later.
Timothy Hjort, a security researcher at Outpost24, discovered and reported all five vulnerabilities in Zyxel. Yesterday, on the fourth of June, Hjort published a detailed report and demonstration of the work of PoC exploits in coordination with Zyxel.
Vulnerabilities that have been patched include:
- CVE-2024-29972. A command injection vulnerability in the CGI program ("remote_help-cgi") that allows an unauthenticated attacker to send a specially crafted HTTP POST request to execute OS commands using the NsaRescueAngel account with root privileges.
- CVE-2024-29973. A command injection vulnerability in the "setCookie" parameter that allows an attacker to send a specially crafted HTTP POST request to execute system commands.
- CVE-2024-29974. Remote code execution error in the CGI program ("file_upload-cgi"), which allows an unauthenticated attacker to upload malicious configuration files to the device.
The following vulnerabilities have not been fixed:
- CVE-2024-29975. Privilege management error in the SUID executable binary file that allows an authenticated local attacker with administrator rights to execute system commands as the root user.
- CVE-2024-29976. Privilege management issue in the "show_allsessions" command that allows an authenticated attacker to obtain session information, including active administrator cookies.
Although support for these NAS models ended on December 31, 2023, Zyxel released fixes for three critical vulnerabilities in versions 5.21 (AAZF.17) C0 for NAS326 and 5.21(ABAG. 14) C0 for NAS542. This makes the company stand out from its competitors, who often refuse to release fixes for hardware that is out of the support cycle.
Representatives of Zyxel report that at the moment there are no cases of exploiting vulnerabilities in real conditions. However, given the availability of public proof-of-concept exploits, device owners are advised to apply security updates as soon as possible.
