This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: OS Command Injection in Zyxel NAS326/NAS542. π₯ **Consequences**: Attackers execute arbitrary OS commands via crafted HTTP POST requests. Full system compromise is possible.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: CWE-78 (OS Command Injection). π **Flaw**: The `remote_help-cgi` program fails to sanitize inputs, allowing shell commands to be injected directly into the OS.
Q3Who is affected? (Versions/Components)
π¦ **Affected Products**: Zyxel NAS326 & NAS542. π **Versions**: NAS326 < V5.21(AAZF.17)C0; NAS542 < V5.21(ABAG.14)C0. β οΈ All older firmware versions are at risk.
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Root-level access. π **Data**: Full control over the device. π΅οΈ **Action**: Hackers can execute any OS command, install backdoors (e.g., `NsaRescueAngel`), and steal data.
Q5Is exploitation threshold high? (Auth/Config)
π **Threshold**: LOW. π« **Auth**: Unauthenticated. π **Config**: No user interaction needed. Attackers just send a malicious HTTP POST request to exploit it remotely.
π **Self-Check**: Use FOFA search `app="ZyXEL-NAS326"`. π‘ **Scan**: Run Nuclei templates (`http/cves/2024/CVE-2024-29972.yaml`). π **Verify**: Check firmware version against the safe thresholds.
Q8Is it fixed officially? (Patch/Mitigation)
π οΈ **Fix**: YES. π **Advisory**: Published 2024-06-04. β **Action**: Update NAS326 to V5.21(AAZF.17)C0 or later; NAS542 to V5.21(ABAG.14)C0 or later.
Q9What if no patch? (Workaround)
π§ **No Patch?**: Isolate the device from the internet. π« **Block**: Restrict HTTP POST access to the CGI endpoint. π‘οΈ **Monitor**: Watch for unauthorized root accounts like `NsaRescueAngel`.