A new vulnerability, CVE-2024-29973, has been discovered in Zyxel NAS devices, exposing them to attacks from a Mirai-like botnet.
This vulnerability, a Python code injection flaw, has raised significant concerns among cybersecurity experts and users alike.
According to the Outpost24 blog, the vulnerability stems from a flaw in the simZysh endpoint of the Zyxel NAS devices’ web server.
This endpoint, introduced during a patch for a previous vulnerability (CVE-2023-27992), inadvertently replicated the same security mistakes.
The core issue lies in using the eval() function, which is notorious for its potential to execute arbitrary code if not properly sanitized.
A recent tweet from Shadowserver Foundation shared that the NAS Devices from Zyxel are being attacked by a botnet similar to Mirai and exploits CVE-2024-29973.
The simZysh function in the Zyxel NAS devices’ Python web server is designed to simulate the output of zyshcgi.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
However, the function’s implementation contains several critical flaws:
class mainApplication(object):
# Snip...
def simZysh(self, *url_args, **request_args):
"""Simulate zyshcgi's output. GUI's broker shall set command as the following format:
'controller_name action_name {"arg1": value, "arg2": value, ...}'
"""
for i in url_args:
if not check_str_format(i, 'url'):
return tools_cherrypy.ARG_ERROR
for key, value in request_args.items():
if not check_str_format(key, 'request'):
if not check_list(key):
return tools_cherrypy.ARG_ERROR
if not check_str_format(value, 'request'):
if not check_list(value):
return tools_cherrypy.ARG_ERROR
r_value = {}
c_index = 0
while True:
c_key = 'c%d' % c_index
if request_args.has_key(c_key):
controller_n, action_n, args = request_args[c_key].split(' ', 2)
try:
controller = __import__('controllers.%s' % controller_n)
tmp_result = eval('controller.%s.%s(cherrypy=%s, arguments=%s)' % (
controller_n, action_n, 'cherrypy', args))
if not tmp_result:
raise ValueError
r_type = type(tmp_result)
if r_type == list:
r_value['zyshdata%d' % c_index] = tmp_result
else:
r_value['zyshdata%d' % c_index] = [
tmp_result]
r_value['errno%d' % c_index] = 0
r_value['errmsg%d' % c_index] = _('OK')
except:
r_value['zyshdata%d' % c_index] = []
r_value['errno%d' % c_index] = -99999
r_value['errmsg%d' % c_index] = _('Execute Error')
else:
break
c_index += 1
return r_value
simZysh.exposed = True
Exploitation and Impact
The vulnerability allows attackers to inject arbitrary Python code through carefully crafted requests.
Attackers can execute commands on the device by bypassing the mod_auth_zyxel module and avoiding Python filters. For instance, a malicious payload could look like this:
POST /cmd,/simZysh/register_main/setCookiec0='storage_ext_cgi CGIGetExtStoInfo None) and False or __import__("subprocess").check_output("makekey", shell=True)#'
This payload exploits the eval() function to execute the makekey command, potentially opening a backdoor on the device.
Mitigation and Recommendations
Zyxel has been notified of the vulnerability and is expected to release a patch soon.
In the meantime, users are advised to:
- Disable Remote Access: Restrict remote access to the NAS devices to prevent exploitation.
- Apply Network Segmentation: Isolate NAS devices from the rest of the network to limit potential damage.
- Monitor Network Traffic: Monitor unusual network activity indicating an ongoing attack.
The discovery of CVE-2024-29973 highlights the ongoing challenges in securing IoT devices.
As attackers continue to exploit such vulnerabilities, it is crucial for manufacturers to implement robust security measures and for users to stay vigilant.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free