DIVD-2024-00030 - Zyxel NAS - unauthenticated OS command injection
Our reference | DIVD-2024-00030 |
Case lead | Koen Schagen |
Researcher(s) |
|
CVE(s) | |
Products |
|
Versions |
|
Recommendation | If your Zyxel NAS device is running a vulnerable firmware/software version, please update it to the latest version. |
Patch status | Released |
Status | Open |
Last modified | 28 Jun 2024 15:40 |
Summary
Several vulnerabilities have been found in Zyxel NAS devices NAS326 and NAS542. When attackers have line-of-sight to the NAS device through the internet or an internal network, they can potentially gain full root access. As outlined in the Outpost24 blog, multiple CVEs are required to achieve this level of access, including a Python code injection, local privilege escalation, and persistent remote code execution.
At DIVD, we will primarily focus on CVE-2024-29973 to identify vulnerable devices. If CVE-2024-29973 is present, it indicates that other CVEs are likely present as well since they are all addressed in the same firmware update.
Recommendations
Zyxel advises upgrading to the latest firmware version to benefit from the vulnerability fixes. On the versions below, the mentioned vulnerabilities have been fixed:
- NAS326 -> V5.21(AAZF.17)C0 (released May 10th 2024)
- NAS542 -> V5.21(ABAG.14)C0 (released May 10th 2024)
DIVD recommends that you do not have this device reachable from the internet unless it is absolutely nessecary. If this is the case, a firewall rule should be placed in front of the Zyxel NAS device so that it can only be accessed from trusted IP addresses so attackers will have no access.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying them. We do this by finding Zyxel NAS devices connected to the internet and verifying if the device is running the latest firmware version to be protected against the above described threats. The notifications will be sent to the party responsible for the ip address according to the whois database.
Timeline
Date | Description |
---|---|
24 Jun 2024 | DIVD starts researching the vulnerabilities. |
27 Jun 2024 | DIVD found a way to fingerprint vulnerable devices |
27 Jun 2024 | First version of this casefile |
27 Jun 2024 | DIVD starts scanning the internet for vulnerable devices |
More information
- CVE-2024-29972
- CVE-2024-29973
- CVE-2024-29974
- CVE-2024-29975
- CVE-2024-29976
- Zyxel Security Advisory 06-04-2024
- Outpost24 research-and-threat-intel blog