Emergency patches released for critical vulns impacting EOL Zyxel NAS boxes

Zyxel just released security fixes for two of its obsolete network-attached storage (NAS) devices after an intern at a security vendor reported critical flaws months ago.

The NAS326 (running version V5.21(AAZF.16)C0 and earlier) and NAS542 (running versions V5.21(ABAG.13)C0 and earlier) models are affected. They both reached end-of-life (EOL) status on December 31, 2023, and are now vulnerable to several critical vulnerabilities that could lead to remote code execution (RCE) and other issues.

Timothy Hjort, a vulnerability research intern at Outpost24, reported five vulnerabilities to the Taiwan-based vendor in March. Hjort and Zyxel released the vulnerability details and patches respectively on Tuesday via a coordinated disclosure.

Hjort's writeup also included proof of concept code that would inform potential attackers on how to exploit the vulnerabilities, meaning it's especially important to apply patches now.

"Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support… despite the products already having reached end-of-vulnerability-support," the vendor said in an advisory.

All three of the critical flaws received CVSSv3 severity scores of 9.8 – nearly as bad as they come.

CVE-2024-29972 relates to a backdoor account in the Zyxel firmware called "NsaRescueAngel" – a remote support account with root privileges that was supposedly removed in 2020, but appears to be alive and kicking, at least in these affected versions.

CVE-2024-29973 is a Python code injection flaw that was introduced, Hjort says, after Zyxel patched a critical vuln from last year (CVE-2023-27992), the research into which informed the intern's latest discoveries.

In patching CVE-2023-27992, Hjort said Zyxel "added a new endpoint that uses the same approach as the old ones, and while doing so, implemented the same mistakes as its predecessors." In short, a specially crafted HTTP POST request allows attackers to execute commands on the operating system.

Finally, CVE-2024-29974 is an RCE bug that affords attackers a little more in that it achieves persistence. The NsaRescueAngel backdoor, however, is wiped after the device reboots. It affects the firmware's file_upload-cgi program, which is responsible for backing up and restoring a device's config files.

The other two vulnerabilities – CVE-2024-29975 and CVE-2024-29976 – are both privilege escalation flaws with 6.7 and 6.5 severity scores respectively.

The three critical flaws are now patched with version V5.21(AAZF.17)C0 for NAS326 devices and V5.21(ABAG.14)C0 for NAS542 boxes.

Neither Zyxel nor Hjort commented on whether the vulns have actually been exploited in the wild. However, when the blueprints on how to do so are published, it's usually only a matter of days before attacks spin up… just ask JetBrains. ®