Cyber Security Technology

Zyxel Releases Patches for Firmware Vulnerabilities in EoL NAS Models

Avatar photo

Bythehackernews.com

Jun 4, 2024

Jun 05, 2024NewsroomVulnerability / Data Security

NAS Models

Zyxel has released security updates to address critical flaws impacting two of its network-attached storage (NAS) devices that have currently reached end-of-life (EoL) status.

Successful exploitation of three of the five vulnerabilities could permit an unauthenticated attacker to execute operating system (OS) commands and arbitrary code on affected installations.

Impacted models include NAS326 running versions V5.21(AAZF.16)C0 and earlier, and NAS542 running versions V5.21(ABAG.13)C0 and earlier. The shortcomings have been resolved in versions V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0, respectively.

Cybersecurity

A brief description of the flaws is as follows –

  • CVE-2024-29972 – A command injection vulnerability in the CGI program “remote_help-cgi” that could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request
  • CVE-2024-29973 – A command injection vulnerability in the ‘setCookie’ parameter that could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request
  • CVE-2024-29974 – A remote code execution vulnerability in the CGI program ‘file_upload-cgi’ that could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file
  • CVE-2024-29975 – An improper privilege management vulnerability in the SUID executable binary that could allow an authenticated local attacker with administrator privileges to execute some system commands as the ‘root’ user
  • CVE-2024-29976 – An improper privilege management vulnerability in the command ‘show_allsessions’ that could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device

Outpost24 security researcher Timothy Hjort has been credited with discovering and reporting the five flaws. It’s worth noting that the two of the privilege escalation flaws that require authentication remain unpatched.

While there is no evidence that the issues have been exploited in the wild, users are recommended to update to the latest version for optimal protection.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source: thehackernews.com/

Related posts:

The Morning After: This is Doom running on E. coli bacteria
Valve's Steam Deck is on sale for the first time
Slapstick platformer Thank Goodness You're Here! arrives August 1
Malware Analysis: Trickbot
Ransomware Payments, Demands Rose Dramatically in 2021

Leave a Reply

Your email address will not be published. Required fields are marked *

You missed

Lifestyle Transportation

EVs fare poorly in J.D. Power quality survey; Ram and Porsche top the rankings

Jun 27, 2024 autoblog
Entertainment News Politics The Blaze

‘Castrated robots’: Tucker Carlson dismantles liberal journalist in front of Aussie crowd

Jun 27, 2024 theblaze
Fox News Politics Republican

Ad Wars: Trump and Biden campaigns take to airwaves and online ahead of and during presidential debate

Jun 27, 2024 foxnews.com
News The Blaze The Blaze

THIS is why CNN cut off Trump press secretary’s mic?

Jun 27, 2024 theblaze