CVE-2024-29976
📋 TL;DR
This vulnerability allows authenticated attackers on Zyxel NAS devices to view administrator session information including cookies via the 'show_allsessions' command. This affects Zyxel NAS326 and NAS542 models running outdated firmware. Attackers could potentially hijack administrator sessions.
💻 Affected Systems
- Zyxel NAS326
- Zyxel NAS542
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, gain administrative privileges, and fully compromise the NAS device including data theft, ransomware deployment, or using it as an attack pivot point.
Likely Case
An authenticated user (including low-privilege accounts) could escalate privileges to administrator level by stealing session cookies and accessing sensitive data or configuration settings.
If Mitigated
With proper network segmentation and access controls, the impact is limited to the NAS device itself without lateral movement to other systems.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in a specific command that reveals session information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: NAS326: V5.21(AAZF.17)C0 or later, NAS542: V5.21(ABAG.14)C0 or later
Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024
Restart Required: Yes
Instructions:
1. Log into Zyxel NAS web interface as administrator. 2. Navigate to Maintenance > Firmware. 3. Upload and install the latest firmware from Zyxel's support site. 4. Reboot the device after installation completes.
🔧 Temporary Workarounds
Restrict Access to Management Interface
allLimit access to the NAS web interface and SSH to trusted IP addresses only
Implement Strong Authentication Controls
allEnforce multi-factor authentication and strong password policies for all user accounts
🧯 If You Can't Patch
- Isolate affected NAS devices in a separate VLAN with strict firewall rules
- Monitor for unusual authentication patterns or privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface under Maintenance > Firmware or via SSH using 'cat /etc/version'Check Version:
cat /etc/versionVerify Fix Applied:
Verify firmware version is NAS326: V5.21(AAZF.17)C0 or later, NAS542: V5.21(ABAG.14)C0 or later📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login
- Unusual access to 'show_allsessions' command or similar session enumeration
- Administrator account login from unexpected IP addresses
Network Indicators:
- HTTP requests to session-related endpoints from non-admin users
- Unusual traffic patterns to NAS management interface
SIEM Query:
source="zyxel_nas" AND (event="session_enumeration" OR command="show_allsessions")🔗 References
- https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/
- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024
- https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/
- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024
