Endpoint Security , Governance & Risk Management , Internet of Things Security

Zyxel Releases Emergency Security Update for NAS Devices

Company Addresses Flaws in End-of-Life NAS Devices
Zyxel Releases Emergency Security Update for NAS Devices
A Zyxel NAS326 (Image: Zyxel)

A networking solutions vendor fixed critical vulnerabilities in end-of-life products that allow remote code execution.

See Also: Frost Radar™ on Healthcare IoT Security in the United States

Zyxel issued an emergency security update Tuesday that addresses three critical vulnerabilities affecting its older network-attached storage devices: the NAS326 and NAS542 models, which have reached end-of-life status.

The vulnerabilities are identified as CVE-2024-29972, CVE-2024-29973 and CVE-2024-29974.

CVE-2024-29972 involves a command injection vulnerability in the CGI program remote_help-cgi that could let attackers execute OS commands via crafted HTTP POST requests.

CVE-2024-29973, another command injection vulnerability, exists in the "setCookie" parameter and could allow command execution.

CVE-2024-29974 is a remote code execution vulnerability in the CGI program file_upload-cgi that could allow attackers to run arbitrary code by uploading a crafted file.

Outpost24 security researcher Timothy Hjort uncovered these vulnerabilities along with two unpatched vulnerabilities: CVE-2024-29975 and CVE-2024-29974. They are, respectively, a local privilege escalation and a persistent remote code execution vulnerability.

The unpatched vulnerabilities could allow authenticated local attackers to execute system commands as the "root" user or obtain session information containing cookies on affected devices.

Hjort highlighted what he called poor design choices in Zyxel's server setup. The devices' main functions run on a server that uses CherryPy, a Python web framework, and Python 2.

Hjort said this setup relies heavily on user input being filtered and then passed into eval() function calls, which poses significant security risks. He also said that previous vulnerabilities in Zyxel NAS devices were often patched by adding more filters rather than addressing the root issue of code being dependent on eval() calls.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.