It seems that the company has decided to take a more responsible approach to security issues.
No sooner did we publish yesterday's news that Watchtower Labs researchers accused the company in QNAP of being slow to respond to responsible vulnerability disclosure, but today it became known that the NAS giant seems to have taken the right path, publishing 5 fixes for the affected QTS and QuTS hero operating systems at once.
Among the patched vulnerabilities:
All vulnerabilities require an account on NAS devices to be exploited. All of them were fixed in QTS 5.1.7.2770 and QuTS hero h5.1.7.2770 updates. The researcher who discovered and reported the problems, Alitz Hammond of WatchTowr Labs, received recognition from QNAP for his efforts.
"The CVE-2024-27130 vulnerability is related to the unsafe use of the 'strcpy' function in the 'No_Support_ACL' function used in the 'share.cgi' script to share media with external users, " QNAP said in a statement. "Exploiting this vulnerability requires a valid SSID parameter, which is generated when files are exchanged with NAS devices."
QNAP noted that all versions of QTS 4. x and 5. x have the ASLR feature enabled, which makes it difficult to exploit this vulnerability.
The updates were released four days after the Singapore-based cybersecurity company revealed 15 vulnerabilities, including four bugs that could be used to bypass authentication and execute arbitrary code.
Vulnerabilities under CVE IDs-2023-50361 — CVE-2023-50364 was fixed by QNAP on April 25, 2024. However, the company has not yet released a fix for CVE-2024-27131, which WatchTowr described as "log spoofing via x-forwarded-for, which allows you to record downloads from an arbitrary source."
At the same time, QNAP claims that CVE-2024-27131 is not a vulnerability, but a "design decision" that requires changing the QuLog Center interface specifications. Be that as it may, this "solution" is planned to be fixed in QTS 5.2.0.
Details about four other vulnerabilities have not yet been disclosed, but it is already known that one of them has received a CVE identifier and will be fixed in the next update.
WatchTowr experts said that they were forced to publish information about the vulnerabilities after QNAP did not fix them within the 90-day disclosure period. Despite the fact that the company has repeatedly requested a delay in publishing a publicly available report.
In response to the criticism, QNAP expressed regret for coordination issues and committed to release fixes for critical vulnerabilities within 45 days, and for medium-risk vulnerabilities-within 90 days.
"We apologize for any inconvenience and are committed to continuously improving our security measures," the company added. "Our goal is to work closely with researchers around the world to ensure the highest level of safety for our products."
Given that vulnerabilities in QNAP NAS devices have previously been exploited by attackers, users are advised to update their systems to the latest versions of QTS and QuTS hero as soon as possible to prevent potential threats.
No sooner did we publish yesterday's news that Watchtower Labs researchers accused the company in QNAP of being slow to respond to responsible vulnerability disclosure, but today it became known that the NAS giant seems to have taken the right path, publishing 5 fixes for the affected QTS and QuTS hero operating systems at once.
Among the patched vulnerabilities:
- CVE-2024-21902. Incorrect permission assignment that allows authenticated users to read or modify resources over the network.
- CVE-2024-27127. A double-deallocation vulnerability that allows arbitrary code to be executed over the network.
- CVE-2024-27129 CVE-2024-27128, и CVE-2024-27130. A set of buffer overflow vulnerabilities that allow arbitrary code to be executed over the network.
All vulnerabilities require an account on NAS devices to be exploited. All of them were fixed in QTS 5.1.7.2770 and QuTS hero h5.1.7.2770 updates. The researcher who discovered and reported the problems, Alitz Hammond of WatchTowr Labs, received recognition from QNAP for his efforts.
"The CVE-2024-27130 vulnerability is related to the unsafe use of the 'strcpy' function in the 'No_Support_ACL' function used in the 'share.cgi' script to share media with external users, " QNAP said in a statement. "Exploiting this vulnerability requires a valid SSID parameter, which is generated when files are exchanged with NAS devices."
QNAP noted that all versions of QTS 4. x and 5. x have the ASLR feature enabled, which makes it difficult to exploit this vulnerability.
The updates were released four days after the Singapore-based cybersecurity company revealed 15 vulnerabilities, including four bugs that could be used to bypass authentication and execute arbitrary code.
Vulnerabilities under CVE IDs-2023-50361 — CVE-2023-50364 was fixed by QNAP on April 25, 2024. However, the company has not yet released a fix for CVE-2024-27131, which WatchTowr described as "log spoofing via x-forwarded-for, which allows you to record downloads from an arbitrary source."
At the same time, QNAP claims that CVE-2024-27131 is not a vulnerability, but a "design decision" that requires changing the QuLog Center interface specifications. Be that as it may, this "solution" is planned to be fixed in QTS 5.2.0.
Details about four other vulnerabilities have not yet been disclosed, but it is already known that one of them has received a CVE identifier and will be fixed in the next update.
WatchTowr experts said that they were forced to publish information about the vulnerabilities after QNAP did not fix them within the 90-day disclosure period. Despite the fact that the company has repeatedly requested a delay in publishing a publicly available report.
In response to the criticism, QNAP expressed regret for coordination issues and committed to release fixes for critical vulnerabilities within 45 days, and for medium-risk vulnerabilities-within 90 days.
"We apologize for any inconvenience and are committed to continuously improving our security measures," the company added. "Our goal is to work closely with researchers around the world to ensure the highest level of safety for our products."
Given that vulnerabilities in QNAP NAS devices have previously been exploited by attackers, users are advised to update their systems to the latest versions of QTS and QuTS hero as soon as possible to prevent potential threats.
