Taiwan-based networking device manufacturer Zyxel on Tuesday warned of three critical-severity vulnerabilities in two discontinued NAS products that could lead to command injection and arbitrary code execution.
Tracked as CVE-2024-29972 and CVE-2024-29973, the first two flaws are command injection bugs that can be exploited without authentication, via crafted HTTP POST requests.
Another unauthenticated issue, CVE-2024-29974, could allow attackers to execute arbitrary code by uploading crafted configuration files.
In its advisory, Zyxel warns that the impacted products – NAS326 and NAS542 – were discontinued in December 2023.
“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support, despite the products already having reached end-of-vulnerability-support,” the company notes.
According to Outpost24 security researcher Timothy Hjort, who discovered and reported the flaws, successful exploitation of these issues could allow an attacker to achieve persistent root access to the vulnerable NAS devices.
CVE-2024-29972, Hjort explains in a technical writeup, allows an attacker to enable a backdoor account that has root privileges. This account enables a full compromise of the targeted device.
The backdoor account, named ‘NsaRescueAngel’, was first discovered several years ago. It was reportedly removed by Zyxel in 2020, but Outpost24 says it has been re-enabled at some point.
The second bug, Hjort says, was introduced last year, when Zyxel rolled out patches for CVE-2023-27992, a pre-authentication command injection in some NAS devices.
As for CVE-2024-29974, it impacts a function for backing up and restoring configuration files, and allows an attacker to achieve persistent code execution on a vulnerable device, Hjort says.
The bugs were reported to Zyxel in March 2024 along with two other vulnerabilities in the two products, tracked as CVE-2024-29975 and CVE-2024-29976, and which could lead to privilege escalation and information disclosure, respectively. The exploitation of both issues requires authentication.
NAS326 users are advised to update to firmware version V5.21(AAZF.17)C0 as soon as possible. NAS542 users should update to firmware version V5.21(ABAG.14)C0.
Related: QNAP Rushes Patch for Code Execution Flaw in NAS Devices
Related: Zyxel Patches Remote Code Execution Bug in Firewall Products
Related: Multiple DDoS Botnets Exploiting Recent Zyxel Vulnerability
