Share This:

Cybersecurity Threat Advisory

Zyxel has released a patch for their NAS326 and NAS542 to fix five new vulnerabilities that have been discovered. These vulnerabilities affect devices with versions 5.21 (AAZF16/ABAG13) and earlier. Barracuda MSP recommends customers using these devices to follow the steps in this Cybersecurity Threat Advisory to limit your exposure.

What is the threat?

The five vulnerabilities are:

  • CVE-2024-29972: A Python code injection vulnerability that allows the attacker to run arbitrary Python code.
  • CVE-2024-29973: A persistent remote code execution vulnerability that allows an attacker to upload their malicious config, including cron jobs, allowing for persistence and regular command execution.
  • CVE-2024-29974: A backdoor account, NsaRescueAngel, that allows unauthorized parties to gain root privilege access to the device by logging into the malicious account.
  • CVE-2024-29975: A local privilege escalation vulnerability that allows root privilege access in a password-less sudo.
  • CVE-2024-29976: A Privilege escalation vulnerability that exploits information disclosure to reveal the authentication cookies for all authenticated users.

Why is it noteworthy?

A highly detailed writeup on how these vulnerabilities work and some proof-of-concept code has been shared to exploit these vulnerabilities. This means anyone can exploit unpatched systems with minimal effort.

What is the exposure or risk?

Since these vulnerabilities impact network-related devices, it poses significant risks to organizations using these affected devices. Additionally, since a successful attack can control compromised devices through these vulnerabilities, attackers can leverage the exploited device to deploy lateral attacks on the internal network. NAS devices are used for data storage, it is important to consider what is stored on the affected devices. Files on a compromised NAS could be read or modified without authentication, leading to a significant impact on the confidentiality, integrity, and availability of the data on the affected device.

What are the recommendations?

Barracuda MSP recommends the following actions to limit the impact of these vulnerabilities:

  • Update NAS326 and NAS542 with versions 5.21 (AAZF16/ABAG13) and earlier to the most recent firmware immediately to mitigate your risks.
  • Implement a VPN solution for remote access to minimize your risks.
  • Place any internet-accessible services behind a DMZ to help limit access to internal resources and reducing the attack surface.
  • Consider upgrading to more modern devices/software as the affected Zyxel NAS devices were out of their service life.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.


Share This:
Matthew Smith

Posted by Matthew Smith

Matthew is a Cybersecurity Analyst at Barracuda MSP. He supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

Leave a reply

Your email address will not be published. Required fields are marked *