Zyxel security advisory for multiple vulnerabilities in NAS products

Zyxel_May
Zyxel_May Posts: 168  Zyxel Employee
First Comment Fourth Anniversary

CVEs: CVE-2024-29972, CVE-2024-29973, CVE-2024-29974, CVE-2024-29975, CVE-2024-29976

Summary

Zyxel has released patches addressing command injection and remote code execution vulnerabilities in two NAS products that have reached end-of-vulnerability-support. Users are advised to install them for optimal protection.

What are the vulnerabilities?

CVE-2024-29972

**UNSUPPORTED WHEN ASSIGNED**

This command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands bysending a crafted HTTP POST request.

CVE-2024-29973

**UNSUPPORTED WHEN ASSIGNED**

This command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request.

CVE-2024-29974

**UNSUPPORTED WHEN ASSIGNED**

This remote code execution vulnerabilityin the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.

CVE-2024-29975

**UNSUPPORTED WHEN ASSIGNED**

This improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device.

CVE-2024-29976

**UNSUPPORTED WHEN ASSIGNED**

This improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device.

What versions are vulnerable—and what should you do?

Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support*.

Affected model

Affected version

Patch availability

NAS326

V5.21(AAZF.16)C0 and earlier

V5.21(AAZF.17)C0

NAS542

V5.21(ABAG.13)C0 and earlier

V5.21(ABAG.14)C0

*Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023.

Got a question?

Please contact your local service rep or visit Zyxel’s community for further information or assistance.

Acknowledgment

Thanks to Timothy Hjort from Outpost24 for reporting the issues to us.

Revision history

2024-6-4: Initial release.