Zyxel security advisory for multiple vulnerabilities in NAS products
Zyxel Employee
CVEs: CVE-2024-29972, CVE-2024-29973, CVE-2024-29974, CVE-2024-29975, CVE-2024-29976
Summary
Zyxel has released patches addressing command injection and remote code execution vulnerabilities in two NAS products that have reached end-of-vulnerability-support. Users are advised to install them for optimal protection.
What are the vulnerabilities?
CVE-2024-29972
**UNSUPPORTED WHEN ASSIGNED**
This command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands bysending a crafted HTTP POST request.
CVE-2024-29973
**UNSUPPORTED WHEN ASSIGNED**
This command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request.
CVE-2024-29974
**UNSUPPORTED WHEN ASSIGNED**
This remote code execution vulnerabilityin the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.
CVE-2024-29975
**UNSUPPORTED WHEN ASSIGNED**
This improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device.
CVE-2024-29976
**UNSUPPORTED WHEN ASSIGNED**
This improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device.
What versions are vulnerable—and what should you do?
Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support*.
Affected model | Affected version | Patch availability |
|---|---|---|
NAS326 | V5.21(AAZF.16)C0 and earlier | |
NAS542 | V5.21(ABAG.13)C0 and earlier |
*Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023.
Got a question?
Please contact your local service rep or visit Zyxel’s community for further information or assistance.
Acknowledgment
Thanks to Timothy Hjort from Outpost24 for reporting the issues to us.
Revision history
2024-6-4: Initial release.
Categories
- All Categories
- 411 Beta Program
- 2.2K Nebula
- 123 Nebula Ideas
- 86 Nebula Status and Incidents
- 5.3K Security
- 125 USG FLEX H Series
- 250 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 945 Wireless
- 36 Wireless Ideas
- 6K Consumer Product
- 225 Service & License
- 353 News and Release
- 73 Security Advisories
- 23 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.5K FAQ
- 1.3K Nebula FAQ
- 499 Security FAQ
- 268 Switch FAQ
- 245 Access Point FAQ
- 54 Consumer Product FAQ
- 143 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 77 About Community
- 65 Security Highlight