Endpoint Security
,
Governance & Risk Management
,
Internet of Things Security
Company Addresses Flaws in End-of-Life NAS Devices
A networking solutions vendor fixed critical vulnerabilities in end-of-life products that allow remote code execution.
See Also: Cyber Hygiene and Asset Management Perception vs. Reality
Zyxel issued an emergency security update Tuesday that addresses three critical vulnerabilities affecting its older network-attached storage devices: the NAS326 and NAS542 models, which have reached end-of-life status.
The vulnerabilities are identified as CVE-2024-29972, CVE-2024-29973 and CVE-2024-29974.
CVE-2024-29972 involves a command injection vulnerability in the CGI program remote_help-cgi
that could let attackers execute OS commands via crafted HTTP POST requests.
CVE-2024-29973, another command injection vulnerability, exists in the “setCookie” parameter and could allow command execution.
CVE-2024-29974 is a remote code execution vulnerability in the CGI program file_upload-cgi
that could allow attackers to run arbitrary code by uploading a crafted file.
Outpost24 security researcher Timothy Hjort uncovered these vulnerabilities along with two unpatched vulnerabilities: CVE-2024-29975 and CVE-2024-29974. They are, respectively, a local privilege escalation and a persistent remote code execution vulnerability.
The unpatched vulnerabilities could allow authenticated local attackers to execute system commands as the “root” user or obtain session information containing cookies on affected devices.
Hjort highlighted what he called poor design choices in Zyxel’s server setup. The devices’ main functions run on a server that uses CherryPy, a Python web framework, and Python 2.
Hjort said this setup relies heavily on user input being filtered and then passed into eval()
function calls, which poses significant security risks. He also said that previous vulnerabilities in Zyxel NAS devices were often patched by adding more filters rather than addressing the root issue of code being dependent on eval()
calls.