1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Zyxel NAS devices hit by critical security threat, so patch now

    From TechnologyDaily@1337:1/100 to All on Thu Jun 6 17:00:05 2024
    Zyxel NAS devices hit by critical security threat, so patch now

    Date:
    Thu, 06 Jun 2024 16:47:57 +0000

    Description:
    Five vulnerabilities discovered in two NAS devices, three of which were given the most critical severity.

    FULL STORY ======================================================================

    Zyxel has patched three high-severity flaws plaguing some of its NAS devices
    .

    In a security advisory, Zyxel said it released patches for CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, three flaws with severity scores of
    9.8/10 (critical), and urged users to apply them immediately.

    The vulnerabilities , discovered in March 2024, were discovered in NAS326 (running version V5.21(AAZF.16)C0 and earlier) and NAS542 (running versions V5.21(ABAG.13)C0 and earlier). Proof of concept

    CVE-2024-29972 is a backdoor account in the Zyxel firmware, called "NsaRescueAngel". This is a remote support account with root privileges that Zyxel supposedly removed four years ago, but obviously didnt. CVE-2024-29973 is a Python code injection flaw that Zyxel created while patching a separate vulnerability last year (CVE-2023-27992), while CVE-2024-29974 is a remote code execution (RCE) flaw granting potential attackers persistence on the compromised devices.

    Besides the three flaws, the researchers found two additional ones - CVE-2024-29975 and CVE-2024-29976. However, these are moderately severe, with scores 6.7 and 6.5 respectively. Both are described as privilege escalation flaws.

    It is also worth mentioning that these two Zyxel devices reached end-of-life status on December 31, 2023, and Zyxel still decided to patch them for the organizations with extended warranty.

    "Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support despite the products already having reached end-of-vulnerability-support," the advisory added.

    The vulnerabilities were found by Timothy Hjort, a security research intern
    at Outpost24, The Register reported. Besides the discovery, Hjort also included a proof of concept (PoC) that demonstrated how the vulnerabilities could be exploited. At press time, there were no reports or evidence of in-the-wild abuse, however, since the devices are past EoD, and with the methodology widely available, it is probably just a matter of time. More from TechRadar Pro Zyxel says multiple NAS devices suffering from cybersecurity flaws Here's a list of the best firewalls around today These are the best endpoint security tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/zyxel-nas-devices-hit-by-critical-secur ity-threat-so-patch-now


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)