Why are 11 of them still uncorrected?
During the security audit of the QTS operating system used in QNAP NAS products, fifteen vulnerabilities of varying severity were identified. It is noteworthy that eleven of them still remain uncorrected.
Among the detected problems, CVE-2024-27130 stands out, a stack buffer overflow vulnerability in the "No_Support_ACL" function of the "share.cgi" script, which allows an attacker to execute remote code under certain conditions.
QNAP has responded to vulnerability reports with numerous delays and has so far fixed only four of the fifteen issues identified. All this despite the fact that the company received information about most of the vulnerabilities back in December 2023 and January 2024.
The security flaws were discovered by WatchTowr Labs, who published full details of their findings, as well as a PoC exploit for CVE-2024-27130.
Security flaws found
Experts found that the vulnerabilities are mainly related to code execution, buffer overflow, memory corruption, authentication bypass, and XSS issues, which jeopardize the security of NAS devices in various deployment environments. Meanwhile, the full list of vulnerabilities includes:
The aforementioned errors affect QTS, the NAS operating system on QNAP devices, QuTScloud, the version of QTS optimized for virtual machines, and QTS hero, a specialized version focused on high performance.
QNAP Response
QNAP fixed CVE-2023-50361 through CVE-2023-50364 in the April 2024 security update for QTS 5.1.6.2722 build 20240402 and later, and QTS hero h5.1.6.2734 build 20240414 and later.
For some reason, all other vulnerabilities discovered by WatchTowr are still ignored, for which experts actively criticize QNAP.
Exploit for vulnerability CVE-2024-27130
Vulnerability CVE-2024-27130 is caused by unsafe use of the "strcpy" function in the "No_Support_ACL" function. This function is used by the "get_file_size" request in the "share.cgi" script when sharing media files with external users.
An attacker can create a malicious request using the specially formed "name" parameter, which will lead to a buffer overflow and remote code execution. To exploit CVE-2024-27130, an attacker needs a valid SSID parameter, which is generated when a user exchanges a file on the QNAP NAS device.
This parameter is included in the URL link created on the device during the exchange, and an attacker can use social engineering to get it. Moreover, sometimes users just share these links online, which allows you to find them through a regular Google search.
Despite the fact that the vulnerability CVE-2024-27130 is not so easy to exploit, the value of the SSID parameter can be obtained with sufficient persistence of the attacker. As noted above, WatchTowr specialists published an exploit on GitHub, where they also showed how to create an account on a QNAP device and increase its privileges.
QNAP has not yet provided any comments on the WatchTowr Labs technical report and accusations of slowness in fixing vulnerabilities.
During the security audit of the QTS operating system used in QNAP NAS products, fifteen vulnerabilities of varying severity were identified. It is noteworthy that eleven of them still remain uncorrected.
Among the detected problems, CVE-2024-27130 stands out, a stack buffer overflow vulnerability in the "No_Support_ACL" function of the "share.cgi" script, which allows an attacker to execute remote code under certain conditions.
QNAP has responded to vulnerability reports with numerous delays and has so far fixed only four of the fifteen issues identified. All this despite the fact that the company received information about most of the vulnerabilities back in December 2023 and January 2024.
The security flaws were discovered by WatchTowr Labs, who published full details of their findings, as well as a PoC exploit for CVE-2024-27130.
Security flaws found
Experts found that the vulnerabilities are mainly related to code execution, buffer overflow, memory corruption, authentication bypass, and XSS issues, which jeopardize the security of NAS devices in various deployment environments. Meanwhile, the full list of vulnerabilities includes:
- CVE-2023-50361. Unsafe use of "sprintf" in the "getQpkgDir" function called from "userConfig. cgi".
- CVE-2023-50362. Unsafe use of SQLite functions via the "addPersonalSmtp" parameter in "userConfig. cgi".
- CVE-2023-50363. The lack of authentication allows you to disable two-factor authentication for any users.
- CVE-2023-50364. Heap overflow with a long directory name when viewing the list of files using the "get_dirs" function of the "privWizard.cgi" script.
- CVE-2024-21902. The lack of authentication allows all users to view or clear system logs and perform additional actions.
- CVE-2024-27127. Double memory release in "utilRequest. cgi" via the "delete_share" function.
- CVE-2024-27128. Stack overflow in the "check_email" function, accessible via the "share_file" and "send_share_mail" actions in "utilRequest. cgi".
- CVE-2024-27129. Unsafe use of "strcpy" in the "get_tree" function of the "utilRequest.cgi" script.
- CVE-2024-27130. Unsafe use of "strcpy" in "No_Support_ACL", available via the "get_file_size" function in "share.cgi".
- CVE-2024-27131. Fake logs via "x-forwarded-for", which allows users to record downloads as requests from arbitrary sources.
- WT-2023-0050. Details haven't been released yet due to an unexpectedly complex issue.
- WT-2024-0004. Saving XSS via remote syslog messages.
- WT-2024-0005. Saving XSS via remote device discovery.
- WT-2024-0006. No speed limit in the authentication API.
- WT-2024-00XX. Details have not yet been disclosed.
The aforementioned errors affect QTS, the NAS operating system on QNAP devices, QuTScloud, the version of QTS optimized for virtual machines, and QTS hero, a specialized version focused on high performance.
QNAP Response
QNAP fixed CVE-2023-50361 through CVE-2023-50364 in the April 2024 security update for QTS 5.1.6.2722 build 20240402 and later, and QTS hero h5.1.6.2734 build 20240414 and later.
For some reason, all other vulnerabilities discovered by WatchTowr are still ignored, for which experts actively criticize QNAP.
Exploit for vulnerability CVE-2024-27130
Vulnerability CVE-2024-27130 is caused by unsafe use of the "strcpy" function in the "No_Support_ACL" function. This function is used by the "get_file_size" request in the "share.cgi" script when sharing media files with external users.
An attacker can create a malicious request using the specially formed "name" parameter, which will lead to a buffer overflow and remote code execution. To exploit CVE-2024-27130, an attacker needs a valid SSID parameter, which is generated when a user exchanges a file on the QNAP NAS device.
This parameter is included in the URL link created on the device during the exchange, and an attacker can use social engineering to get it. Moreover, sometimes users just share these links online, which allows you to find them through a regular Google search.
Despite the fact that the vulnerability CVE-2024-27130 is not so easy to exploit, the value of the SSID parameter can be obtained with sufficient persistence of the attacker. As noted above, WatchTowr specialists published an exploit on GitHub, where they also showed how to create an account on a QNAP device and increase its privileges.
QNAP has not yet provided any comments on the WatchTowr Labs technical report and accusations of slowness in fixing vulnerabilities.
