DIVD-2024-00030 - Zyxel NAS - unauthenticated OS command injection

Summary

Several vulnerabilities have been found in Zyxel NAS devices NAS326 and NAS542. When attackers have line-of-sight to the NAS device through the internet or an internal network, they can potentially gain full root access. As outlined in the Outpost24 blog, multiple CVEs are required to achieve this level of access, including a Python code injection, local privilege escalation, and persistent remote code execution.

At DIVD, we will primarily focus on CVE-2024-29973 to identify vulnerable devices. If CVE-2024-29973 is present, it indicates that other CVEs are likely present as well since they are all addressed in the same firmware update.

Recommendations

Zyxel advises upgrading to the latest firmware version to benefit from the vulnerability fixes. On the versions below, the mentioned vulnerabilities have been fixed:

• NAS326 -> V5.21(AAZF.17)C0 (released May 10th 2024)
• NAS542 -> V5.21(ABAG.14)C0 (released May 10th 2024)

DIVD recommends that you do not have this device reachable from the internet unless it is absolutely nessecary. If this is the case, a firewall rule should be placed in front of the Zyxel NAS device so that it can only be accessed from trusted IP addresses so attackers will have no access.

What we are doing

DIVD is currently working to identify vulnerable parties and notifying them. We do this by finding Zyxel NAS devices connected to the internet and verifying if the device is running the latest firmware version to be protected against the above described threats. The notifications will be sent to the party responsible for the ip address according to the whois database.

Timeline

More information

• CVE-2024-29972
• CVE-2024-29973
• CVE-2024-29974
• CVE-2024-29975
• CVE-2024-29976
• Zyxel Security Advisory 06-04-2024
• Outpost24 research-and-threat-intel blog