DIVD-2024-00030 - Zyxel NAS - unauthenticated OS command injection
| Our reference | DIVD-2024-00030 |
| Case lead | Koen Schagen |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | If your Zyxel NAS device is running a vulnerable firmware/software version, please update it to the latest version. |
| Patch status | Released |
| Status | Closed |
| Last modified | 03 Oct 2024 21:51 CEST |
Summary
Several vulnerabilities have been found in Zyxel NAS devices NAS326 and NAS542. When attackers have line-of-sight to the NAS device through the internet or an internal network, they can potentially gain full root access. As outlined in the Outpost24 blog, multiple CVEs are required to achieve this level of access, including a Python code injection, local privilege escalation, and persistent remote code execution.
At DIVD, we will primarily focus on CVE-2024-29973 to identify vulnerable devices. If CVE-2024-29973 is present, it indicates that other CVEs are likely present as well since they are all addressed in the same firmware update.
!!NEW UPDATE!!
Another CVE (CVE-2024-6342) was found in the suggested firmware version of this case so we updated the case to the lastest download links as outlined in this new Zyxel Security Advisory 10-09-2024. We updated the fingerprint to check the firmware creation date from the Last-Modified header, allowing us to determine if the below mentoined hotfix-firmware version is active on the Zyxel NAS device.
Recommendations
Zyxel advises upgrading to the latest firmware version to benefit from the vulnerability fixes. On the versions below, the mentioned vulnerabilities have been fixed:
- NAS326 -> V5.21(AAZF.18)Hotfix01 (released end-of Aug 2024)
- NAS542 -> V5.21(ABAG.15)Hotfix01 (released end-of Aug 2024)
DIVD recommends that you do not have this device reachable from the internet unless it is absolutely necessary. If this is the case, a firewall rule should be placed in front of the Zyxel NAS device so that it can only be accessed from trusted IP addresses so attackers will have no access.
What we are doing
DIVD is currently working to identify and notify vulnerable parties. We do this by finding Zyxel NAS devices connected to the internet and verifying if the device is running the latest firmware version to be protected against the above-described threats. The notifications will be sent to the party responsible for the IP address according to the Whois database.
Timeline
| Date | Description |
|---|---|
| 24 Jun 2024 | DIVD starts researching the vulnerabilities. |
| 27 Jun 2024 | DIVD found a way to fingerprint vulnerable devices |
| 27 Jun 2024 | First version of this casefile |
| 27 Jun 2024 | DIVD starts scanning the internet for vulnerable devices |
| 04 Jul 2024 | DIVD starts notifying network owners with a vulnerable device in their network. |
| 10 Sep 2024 | Zyxel annouched another security advisory with an additional command injection vulnerability (CVE-2024-6342) and based on that we updated the suggested firmware version in this case |
| 10 Sep 2024 | DIVD starts researching into a new fingerprint that also includes CVE-2024-6342 |
| 19 Sep 2024 | DIVD switched to new fingerprint that checks the device firmware creation-date |
| 26 Sep 2024 | DIVD completed new scan and notifying network owners with a vulnerable device |
| 03 Oct 2024 | Case closed |
More information
- CVE-2024-6342
- CVE-2024-29972
- CVE-2024-29973
- CVE-2024-29974
- CVE-2024-29975
- CVE-2024-29976
- Zyxel Security Advisory 06-04-2024
- Zyxel Security Advisory 10-09-2024
- Outpost24 research-and-threat-intel blog