close
close

Attack on Zyxel NAS devices: use of a Mirai-style botnet

Posted on by darion

A new vulnerability, CVE-2024-29973, has been discovered in Zyxel NAS devices, leaving them vulnerable to attacks from a Mirai-like botnet.

This Python code injection vulnerability has raised significant concerns among cybersecurity experts and users alike.

According to the Outpost24 blog, the vulnerability is due to a vulnerability in the simZysh endpoint of the web server of Zyxel NAS devices.

This endpoint, introduced during a patch for a previous vulnerability (CVE-2023-27992), unintentionally replicated the same security bugs.

The fundamental problem is the use of the eval() function, which is notorious for being able to execute arbitrary code if not cleaned up properly.

A recent tweet from the Shadowserver Foundation stated that Zyxel NAS devices are being attacked by a Mirai-like botnet using the CVE-2024-29973 exploit.

The simZysh Python web server function on Zyxel NAS devices is designed to simulate the output of zyshcgi.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

However, the function’s implementation contains several critical errors:

main classApplication(object):

# Snip...

    def simZysh(self, *url_args, **request_args):

        """Simulate zyshcgi's output. GUI's broker shall set command as the following format:

                        'controller_name action_name {"arg1": value, "arg2": value, ...}'

                """

        for i in url_args:

            if not check_str_format(i, 'url'):

                return tools_cherrypy.ARG_ERROR

        for key, value in request_args.items():

            if not check_str_format(key, 'request'):

                if not check_list(key):

                    return tools_cherrypy.ARG_ERROR

            if not check_str_format(value, 'request'):

                if not check_list(value):

                    return tools_cherrypy.ARG_ERROR

        r_value = {}

        c_index = 0

        while True:

            c_key = 'c%d' % c_index

            if request_args.has_key(c_key):

                controller_n, action_n, args = request_args(c_key).split(' ', 2)

                try:

                    controller = __import__('controllers.%s' % controller_n)

                    tmp_result = eval('controller.%s.%s(cherrypy=%s, arguments=%s)' % (

                     controller_n, action_n, 'cherrypy', args))

                    if not tmp_result:

                        raise ValueError

                    r_type = type(tmp_result)

                    if r_type == list:

                        r_value('zyshdata%d' % c_index) = tmp_result

                    else:

                        r_value('zyshdata%d' % c_index) = (

                         tmp_result)

                    r_value('errno%d' % c_index) = 0

                    r_value('errmsg%d' % c_index) = _('OK')

                except:

                    r_value('zyshdata%d' % c_index) = ()

                    r_value('errno%d' % c_index) = -99999

                    r_value('errmsg%d' % c_index) = _('Execute Error')

            else:

                break

            c_index += 1

        return r_value

    simZysh.exposed = True

Exploitation and impact

The vulnerability allows attackers to inject arbitrary Python code via carefully crafted requests.

Attackers can execute commands on the device by bypassing the mod_auth_zyxel module and avoiding Python filters. For example, a malicious payload might look like this:

POST /cmd,/simZysh/register_main/setCookie
c0='storage_ext_cgi CGIGetExtStoInfo None) and False or __import__("subprocess").check_output("makekey", shell=True)#'

This payload uses the eval() function to execute the makekey command, potentially opening a backdoor on the device.

Mitigation and recommendations

Zyxel has been notified of this vulnerability and is expected to release a patch soon.

Meanwhile, users are advised to:

  1. Disable remote access: Restrict remote access to NAS devices to prevent their exploitation.
  2. Apply network segmentation: Isolate NAS devices from the rest of the network to reduce potential damage.
  3. Monitor network traffic: Monitor for unusual network activity that indicates an ongoing attack.

The discovery of CVE-2024-29973 highlights the ongoing challenges in securing IoT devices.

As attackers continue to exploit such vulnerabilities, it is critical that manufacturers implement robust security measures and users remain vigilant.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free