News: 1717608610

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Emergency patches released for critical vulns impacting EOL Zyxel NAS boxes

(2024/06/05)


Zyxel just released security fixes for two of its obsolete network-attached storage (NAS) devices after an intern at a security vendor reported critical flaws months ago.

The NAS326 (running version V5.21(AAZF.16)C0 and earlier) and NAS542 (running versions V5.21(ABAG.13)C0 and earlier) models are affected. They both reached end-of-life (EOL) status on December 31, 2023, and are now vulnerable to several critical vulnerabilities that could lead to remote code execution (RCE) and other issues.

Timothy Hjort, a vulnerability research intern at Outpost24, reported five vulnerabilities to the Taiwan-based vendor in March. Hjort and Zyxel released the vulnerability details and patches respectively on Tuesday via a coordinated disclosure.

[1]

Hjort's writeup also included proof of concept code that would inform potential attackers on how to exploit the vulnerabilities, meaning it's especially important to apply patches now.

JetBrains is still mad at Rapid7 for the ransomware attacks on its customers [2]READ MORE

"Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support… despite the products already having reached end-of-vulnerability-support," the vendor [3]said in an advisory.

All three of the critical flaws received CVSSv3 [4]severity scores of 9.8 – nearly as bad as they come.

[5]

[6]

CVE-2024-29972 relates to a backdoor account in the Zyxel firmware called "NsaRescueAngel" – a remote support account with root privileges that was [7]supposedly removed in 2020 , but appears to be alive and kicking, at least in these affected versions.

[8]Microsoft paid Tenable a bug bounty for an Azure flaw it says doesn't need a fix, just better documentation

[9]NIST turns to IT consultants to clear National Vulnerability Database backlog

[10]Check Point warns customers to patch VPN vulnerability under active exploitation

[11]Snowflake denies miscreants melted its security to steal data from top customers

CVE-2024-29973 is a Python code injection flaw that was introduced, Hjort says, after Zyxel patched a critical vuln from last year (CVE-2023-27992), the research into which informed the intern's [12]latest discoveries .

In patching CVE-2023-27992, Hjort said Zyxel "added a new endpoint that uses the same approach as the old ones, and while doing so, implemented the same mistakes as its predecessors." In short, a specially crafted HTTP POST request allows attackers to execute commands on the operating system.

Finally, CVE-2024-29974 is an RCE bug that affords attackers a little more in that it achieves persistence. The NsaRescueAngel backdoor, however, is wiped after the device reboots. It affects the firmware's file_upload-cgi program, which is responsible for backing up and restoring a device's config files.

[13]

The other two vulnerabilities – CVE-2024-29975 and CVE-2024-29976 – are both privilege escalation flaws with 6.7 and 6.5 severity scores respectively.

The three critical flaws are now patched with version V5.21(AAZF.17)C0 for NAS326 devices and V5.21(ABAG.14)C0 for NAS542 boxes.

Neither Zyxel nor Hjort commented on whether the vulns have actually been exploited in the wild. However, when the blueprints on how to do so are published, it's usually only a matter of days before attacks spin up… [14]just ask JetBrains . ®

Get our [15]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZmDf@cm1Pxh4-YSwxom-rQAAAEY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://www.theregister.com/2024/03/12/jetbrains_is_still_mad_at/

[3] https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024

[4] https://www.theregister.com/2024/03/22/opinion_column_nist/

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZmDf@cm1Pxh4-YSwxom-rQAAAEY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZmDf@cm1Pxh4-YSwxom-rQAAAEY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-nas-remote-access-vulnerability

[8] https://www.theregister.com/2024/06/05/tenable_azure_flaw/

[9] https://www.theregister.com/2024/06/03/nist_cve_backlog/

[10] https://www.theregister.com/2024/06/03/infosec_in_brief/

[11] https://www.theregister.com/2024/05/31/snowflake_breach_report/

[12] https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZmDf@cm1Pxh4-YSwxom-rQAAAEY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[14] https://www.theregister.com/2024/03/12/jetbrains_is_still_mad_at/

[15] https://whitepapers.theregister.com/



The dangers of using CGI web protocols in your backdoor /s

t245t

[1]Hjort's writeup : “ Five new vulnerabilities found in Zyxel NAS devices (including code execution and privilege escalation) ”

“ Based upon NVDs description of CVE-2023-27992 I figured the vulnerability was present in a web server, and based upon my own experience on integrated devices affected by command injections, I figured this would be a CGI webserver. ”

[1] https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/

Just run Debian on it

may_i

Even without the security holes, the Zyxel firmware is a privacy nightmare. It has a feature called myZxelCloud-Agent which seems to sends everything you write to the disks up to Zyxel's servers for indexing, whether you enable the cloud storage function or not. Even if you delete myZxelCloud-Agent, the firmware downloads and re-installs it again unless you take concerted action to prevent it.

However, you can kick Zyxel's firmware out and boot the box with Debian instead. That lets you combine two 12TB disks into a logical 24TB partition and use it as a very handy backup device. It's always hard to make backups of a large NAS server, but using this super cheap box, I can regularly rsync the most important datasets from my proper NAS to one of these. If you have a pair of them and a friend nearby, it's easy to always keep one of them away from home and have a fire-proof backup of the data which is most important to you.

It's a shame that there's nothing these days which even comes close to the price I paid for these units when retailers were clearing their stocks of them. The first rsync takes a couple of weeks, but after that, the performance is more than adequate for keeping many terabytes of backups fresh and safe.

The onset and the waning of love make themselves felt in the uneasiness
experienced at being alone together.
-- Jean de la Bruyere