Security updates despite end of support: Zyxel secures NAS systems
Apparently, five recently discovered vulnerabilities are so dangerous that Zyxel has to take care of the EoL devices.
(Image: Alfa Photo/Shutterstock.com)
Support for the NAS models NAS326 and NAS542 from Zyxel has actually expired and the devices no longer receive security patches. However, the network supplier has now released updates to protect the NAS systems against possible attacks.
The threats
The vulnerabilities (CVE-2024-29972, CVE-2024-29973, CVE-2024-29974, CVE-2024-29975, CVE-2024-29976) were discovered by a security researcher from Outpost24. Even though the threat level of the vulnerabilities has not yet been officially classified, the researcher speaks of a "critical" threat in a report.
If attacks are successful, attackers can, in the worst case, execute their own commands or even malicious code and compromise NAS systems. According to Zyxel's warning message, attackers do not need to be authenticated to execute commands. By sending crafted HTTP requests, it should be possible to execute commands at system level.
Inhis article on the vulnerabilities, the researcher explains in detail how attacks can take place and what effects they have. He states that he discovered the vulnerabilities during a routine test. He informed Zyxel of this in mid-March of this year. The security updates have been available since the beginning of April. It is currently unknown whether there are already attacks.
Patch now!
The network equipment supplier states that the security patches for NAS326 V5.21(AAZF.17)C0 and NAS542 V5-21(ABAG.14)C0 are available for customers with extended support. All previous versions are said to be under threat. Support for the devices expired on December 31, 2023.
(des)
