Connect with us

Cyber Security

QNAP fixes critical RCE vulnerabilities in NAS devices

Published

on

QNAP Systems has patched a pair of critical security vulnerabilities that could allow unauthenticated attackers to take control of its network-attached storage (NAS) devices.

The flaws, which were among a raft of serious bugs addressed by the Taiwanese hardware vendor last week, can both lead to remote code execution (RCE), according to technical details published on March 31 by security researcher Yaniv Puyeski of SAM Seamless Network.

Sold for home and commercial use through subsidiaries in 28 countries, QNAP’s NAS devices are used for file sharing, virtualization, storage management, and surveillance applications.

Network-attached pwnage

command injection vulnerability (CVE-2020-2509) in QNAP NAS operating systems QTS and QuTS Hero is exploitable via the web server, and is addressed in various QTS versions and builds, plus QuTS Hero h4.5.1.1491 build 20201119, released on April 16.

Patched in the same batch of firmware updates, the other critical bug (CVE-2020-36195) affects any QNAP NAS devices running Multimedia Console or the Media Streaming add-on.

With access to the DLNA server, attackers can exploit the flaw to create arbitrary file data, elevating to RCE on the remote NAS, according to Puyeski.

The firmware updates also included a fix for a high severity cross-site scripting (XSS) vulnerability (CVE-2018-19942) in File Station, the QTS file management app.

The flaw, which was uncovered by Independent Security Evaluators, was fixed in several QTS versions/builds, QuTS hero h4.5.1.1472 build 20201031, and QuTScloud c4.5.4.1601 build 20210309 and QuTScloud c4.5.3.1454 build 20201013.

Twonky

Another QNAP advisory indicates that a QNAP NAS package is still pending for v8.5.2 of third-party application Twonky Server after its vendor, Lynx Technology, patched a pair of high severity bugs in the media server that can be combined to damaging effect.

Found by Sven Krewitt of Risk Based Security and disclosed on March 16, the flaws include an improper access restriction vulnerability that can expose the administrator username and password, and a weak password obfuscation flaw facilitating password decryption.

On April 12, meanwhile, QNAP patched a heap-based buffer overflow vulnerability in Linux command Sudo in its QTS OS.

Disclosed by Qualys and quickly addressed in QuTS hero in January, the bug allows any unprivileged users to gain escalated root privileges on the vulnerable host.

The high severity CVE (CVE-2021-3156) – classed as medium risk by QNAP – affects all QNAP NAS devices.

With a patch still pending for QES, users of QNAP’s enterprise storage operating system are advised to disable SSH and Telnet except where these services are required.

Finally, an RCE exploit for a critical stack-based buffer overflow vulnerability (CVE-2020-2501) patched in QNAP’s Surveillance Station video management system in February was published on April 10 by SSD Secure Disclosure.

The Daily Swig has sent additional questions to QNAP, SAM Seamless Network, and Lynx Technology. We will update the article if and when we receive responses.

Source: https://portswigger.net/daily-swig/qnap-fixes-critical-rce-vulnerabilities-in-nas-devices

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO