Skip to the content.

DIVD-2024-00030 - Zyxel NAS - unauthenticated OS command injection

Our reference DIVD-2024-00030
Case lead Koen Schagen
Researcher(s)
CVE(s)
Products
  • Zyxel NAS326
  • Zyxel NAS542
Versions
  • NAS326 - V5.21(AAZF.16)C0 and earlier
  • NAS542 - V5.21(ABAG.13)C0 and earlier
Recommendation If your Zyxel NAS device is running a vulnerable firmware/software version, please update it to the latest version.
Patch status Released
Status Open
Last modified 04 Jul 2024 10:33

Summary

Several vulnerabilities have been found in Zyxel NAS devices NAS326 and NAS542. When attackers have line-of-sight to the NAS device through the internet or an internal network, they can potentially gain full root access. As outlined in the Outpost24 blog, multiple CVEs are required to achieve this level of access, including a Python code injection, local privilege escalation, and persistent remote code execution.

At DIVD, we will primarily focus on CVE-2024-29973 to identify vulnerable devices. If CVE-2024-29973 is present, it indicates that other CVEs are likely present as well since they are all addressed in the same firmware update.

Recommendations

Zyxel advises upgrading to the latest firmware version to benefit from the vulnerability fixes. On the versions below, the mentioned vulnerabilities have been fixed:

DIVD recommends that you do not have this device reachable from the internet unless it is absolutely nessecary. If this is the case, a firewall rule should be placed in front of the Zyxel NAS device so that it can only be accessed from trusted IP addresses so attackers will have no access.

What we are doing

DIVD is currently working to identify vulnerable parties and notifying them. We do this by finding Zyxel NAS devices connected to the internet and verifying if the device is running the latest firmware version to be protected against the above described threats. The notifications will be sent to the party responsible for the ip address according to the whois database.

Timeline

Date Description
24 Jun 2024 DIVD starts researching the vulnerabilities.
27 Jun 2024 DIVD found a way to fingerprint vulnerable devices
27 Jun 2024 First version of this casefile
27 Jun 2024 DIVD starts scanning the internet for vulnerable devices
07 Apr 2024 DIVD starts notifying network owners with a vulnerable device in their network.
gantt title DIVD-2024-00030 - Zyxel NAS - unauthenticated OS command injection dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00030 - Zyxel NAS - unauthenticated OS command injection (still open) :2024-06-24, 2024-07-20 section Events DIVD starts researching the vulnerabilities. : milestone, 2024-06-24, 0d DIVD found a way to fingerprint vulnerable devices : milestone, 2024-06-27, 0d First version of this casefile : milestone, 2024-06-27, 0d DIVD starts scanning the internet for vulnerable devices : milestone, 2024-06-27, 0d DIVD starts notifying network owners with a vulnerable device in their network. : milestone, 2024-04-07, 0d

More information