Zyxel NAS devices affected by a critical security threat, so patch now
Zyxel has fixed three serious bugs plaguing some of its NAS devices.
In a security advisory, Zyxel said it has released patches for CVE-2024-29972, CVE-2024-29973 and CVE-2024-29974, three flaws with a severity rating of 9.8/10 (critical), and urged users to apply them immediately. .
The vulnerabilities, discovered in March 2024, were discovered in NAS326 (with version V5.21(AAZF.16)C0 and earlier) and NAS542 (with version V5.21(ABAG.13)C0 and earlier).
Proof of concept
CVE-2024-29972 is a backdoor account in the Zyxel firmware called “NsaRescueAngel”. This is a remote support account with root privileges that Zyxel would have removed four years ago, but obviously didn’t. CVE-2024-29973 is a Python code injection flaw that Zyxel created last year while patching a separate vulnerability (CVE-2023-27992), while CVE-2024-29974 is a Remote Code Execution (RCE) flaw is that gives potential attackers persistence on the computer. compromised devices.
In addition to the three flaws, the researchers found two others: CVE-2024-29975 and CVE-2024-29976. However, these are moderately serious, with a score of 6.7 and 6.5 respectively. Both are described as deficiencies in the escalation of privilege.
It’s also worth noting that these two Zyxel devices reached end-of-life status on December 31, 2023, and Zyxel still decided to patch them for the extended warranty organizations.
“Due to the criticality of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support… even though the products have already reached the vulnerability endpoint – support,” the opinion added.
The vulnerabilities were found by Timothy Hjort, a security research intern at Outpost24, The register reported. In addition to the discovery, Hjort also included a proof of concept (PoC) that showed how the vulnerabilities could be exploited. However, at the time of writing, there were no reports or evidence of misuse in the wild, but since the devices are beyond EoD and the methodology is widely available, this is likely only a matter of time.