Zyxel NAS Devices Under Attack: Mirai-Like Botnet Exploiting CVE-2024-29973

A new vulnerability, CVE-2024-29973, has been discovered in Zyxel NAS devices, exposing them to attacks from a Mirai-like botnet.

This vulnerability, a Python code injection flaw, has raised significant concerns among cybersecurity experts and users alike.

According to the Outpost24 blog, the vulnerability stems from a flaw in the simZysh endpoint of the Zyxel NAS devices’ web server.

This endpoint, introduced during a patch for a previous vulnerability (CVE-2023-27992), inadvertently replicated the same security mistakes.

The core issue lies in using the eval() function, which is notorious for its potential to execute arbitrary code if not properly sanitized.

A recent tweet from Shadowserver Foundation shared that the NAS Devices from Zyxel are being attacked by a botnet similar to Mirai and exploits CVE-2024-29973.

We have started observing Zyxel NAS CVE-2024-29973 RCE exploitation attempts by a Mirai-like botnet in our sensors. Zyxel has released patches for this and other vulnerabilities (though affected products are EOL)https://t.co/IiPxfSxcEj

Review for signs of compromise and patch!

— The Shadowserver Foundation (@Shadowserver) June 21, 2024

CVE-2024-29973 – Vulnerability Details

The simZysh function in the Zyxel NAS devices’ Python web server is designed to simulate the output of zyshcgi.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

However, the function’s implementation contains several critical flaws:

class mainApplication(object):

# Snip...

    def simZysh(self, *url_args, **request_args):

        """Simulate zyshcgi's output. GUI's broker shall set command as the following format:

                        'controller_name action_name {"arg1": value, "arg2": value, ...}'

                """

        for i in url_args:

            if not check_str_format(i, 'url'):

                return tools_cherrypy.ARG_ERROR

        for key, value in request_args.items():

            if not check_str_format(key, 'request'):

                if not check_list(key):

                    return tools_cherrypy.ARG_ERROR

            if not check_str_format(value, 'request'):

                if not check_list(value):

                    return tools_cherrypy.ARG_ERROR

        r_value = {}

        c_index = 0

        while True:

            c_key = 'c%d' % c_index

            if request_args.has_key(c_key):

                controller_n, action_n, args = request_args[c_key].split(' ', 2)

                try:

                    controller = __import__('controllers.%s' % controller_n)

                    tmp_result = eval('controller.%s.%s(cherrypy=%s, arguments=%s)' % (

                     controller_n, action_n, 'cherrypy', args))

                    if not tmp_result:

                        raise ValueError

                    r_type = type(tmp_result)

                    if r_type == list:

                        r_value['zyshdata%d' % c_index] = tmp_result

                    else:

                        r_value['zyshdata%d' % c_index] = [

                         tmp_result]

                    r_value['errno%d' % c_index] = 0

                    r_value['errmsg%d' % c_index] = _('OK')

                except:

                    r_value['zyshdata%d' % c_index] = []

                    r_value['errno%d' % c_index] = -99999

                    r_value['errmsg%d' % c_index] = _('Execute Error')

            else:

                break

            c_index += 1

        return r_value

    simZysh.exposed = True

Exploitation and Impact

The vulnerability allows attackers to inject arbitrary Python code through carefully crafted requests.

Attackers can execute commands on the device by bypassing the mod_auth_zyxel module and avoiding Python filters. For instance, a malicious payload could look like this:

POST /cmd,/simZysh/register_main/setCookie

c0='storage_ext_cgi CGIGetExtStoInfo None) and False or __import__("subprocess").check_output("makekey", shell=True)#'

This payload exploits the eval() function to execute the makekey command, potentially opening a backdoor on the device.

Mitigation and Recommendations

Zyxel has been notified of the vulnerability and released patches.

In the meantime, users are advised to:

1. Disable Remote Access: Restrict remote access to the NAS devices to prevent exploitation.
2. Apply Network Segmentation: Isolate NAS devices from the rest of the network to limit potential damage.
3. Monitor Network Traffic: Monitor unusual network activity indicating an ongoing attack.

The discovery of CVE-2024-29973 highlights the ongoing challenges in securing IoT devices.

As attackers continue to exploit such vulnerabilities, it is crucial for manufacturers to implement robust security measures and for users to stay vigilant.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free