www.belgium.be Logo of the federal government

WARNING: MULTIPLE CRITICAL, HIGH AND MEDIUM VULNERABILITIES IN ZYXEL NAS DEVICES CAN BE EXPLOITED TO EXECUTE CODE AND STEAL INFORMATION. DECOMMISION OR PATCH IMMEDIATELY!

Reference: 
Advisory #2024-80
Version: 
1.0
Affected software: 
Zyxel NAS devices models NAS326 and NAS542
Type: 
Remote code execution, local code execution, information leakage
CVE/CVSS: 

CVE-2024-29972: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-29973: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) UPDATE 2024-06-24: Known to be actively exploited
CVE-2024-29974: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-29975: 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-29976: 7.4 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Sources

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024

Risks

On 4 June 2024, Zyxel published a security advisory about 5 vulnerabilities in end-of-life NAS devices models NAS326 and NAS542. The reported vulnerabilities are CVE-2024-29972, CVE-2024-29973, CVE-2024-29974, CVE-2024-29975 and CVE-2024-29976.

Exploitation of these vulnerabilities have a high impact on confidentiality, integrity and availability.

NAS devices are data storage devices that can be accessed remotely. NAS devices are regularly targeted by threat actors for various purposes such as spreading malware, stealing data, altering system configurations, and triggering a denial-of-service condition[1].

There is presently no indication that these vulnerabilities have come under active exploitation (cut-off date: 4 June 2024). However, the fact that Zyxel decided to release security patches for end-of-life devices could indicate that exploitation can be expected.

UPDATE 2024-06-24: There are presently indications that CVE-2024-29973 is actively exploited by attackers seeking to compromise the security and integrity of the affected devices.

 

Description

CVE-2024-29972 is a command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

CVE-2024-27793 is a command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request.

CVE-2024-27794 is a remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.

CVE-2024-29975 is an improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device.

CVE-2024-19976 is an improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device.

Recommended Actions

End of Life Systems

The Centre for Cybersecurity Belgium (CCB) strongly advises all organizations to handle end-of-life (EOL) appliances with utmost care to mitigate vulnerabilities in their public attack surface.

Keep your organisation’s asset inventory updated to reflect the decommissioning of end-of-life devices, maintaining a robust and current security posture

Ensure end-of-life appliances are disconnected from all networks to prevent potential access points for cyber attackers.

Securely wiping all data from these devices using industry-standard data destruction methods is essential. It’s recommended to physically destroy & recycle the hardware through certified e-waste disposal services to prevent unauthorized data retrieval.

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Zyxel reported that these vulnerabilities are fixed with software updates:

  • For NAS326 devices: upgrade to patch V5.21(AAZF.17)C0
  • For NAS542 devices, upgrade to patch V5.21(ABAG.14)C0

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024