An in depth safety audit of QNAP QTS, the working system for the corporate’s NAS merchandise, has uncovered fifteen vulnerabilities of various severity, with eleven remaining unfixed.
Amongst them is CVE-2024-27130, an unpatched stack buffer overflow vulnerability within the ‘No_Support_ACL’ perform of ‘share.cgi,’ which may allow an attacker to carry out distant code execution when particular conditions are met.
The seller responded to the vulnerability reviews submitted between December 12, 2023, and January 23, 2024, with a number of delays and has fastened solely 4 of the fifteen flaws.
The vulnerabilities have been found by WatchTowr Labs, who revealed the entire particulars of their findings and a proof of idea (PoC) exploit for CVE-2024-27130 on Friday.
The QTS vulnerabilities
The failings uncovered by WatchTowr analysts are primarily associated to code execution, buffer overflows, reminiscence corruption, authentication bypass, and XSS points, impacting the safety of Community Connected Storage (NAS) units throughout totally different deployment environments.
WatchTowr lists a complete of fifteen flaws, summarized as follows:
- CVE-2023-50361: Unsafe use of sprintf in getQpkgDir invoked from userConfig.cgi.
- CVE-2023-50362: Unsafe use of SQLite capabilities accessible through parameter addPersonalSmtp to userConfig.cgi.
- CVE-2023-50363: Lacking authentication permits two-factor authentication to be disabled for arbitrary customers.
- CVE-2023-50364: Heap overflow through lengthy listing identify when file itemizing is seen by get_dirs perform of privWizard.cgi.
- CVE-2024-21902: Lacking authentication permits all customers to view or clear system logs and carry out further actions.
- CVE-2024-27127: A double-free in utilRequest.cgi through the delete_share perform.
- CVE-2024-27128: Stack overflow in check_email perform, reachable through the share_file and send_share_mail actions of utilRequest.cgi.
- CVE-2024-27129: Unsafe use of strcpy in get_tree perform of utilRequest.cgi.
- CVE-2024-27130: Unsafe use of strcpy in No_Support_ACL accessible by get_file_size perform of share.cgi.
- CVE-2024-27131: Log spoofing through x-forwarded-for permits customers to trigger downloads to be recorded as requested from arbitrary supply areas.
- WT-2023-0050: Below prolonged embargo as a result of an unexpectedly advanced problem.
- WT-2024-0004: Saved XSS through distant syslog messages.
- WT-2024-0005: Saved XSS through distant machine discovery.
- WT-2024-0006: Lack of rate-limiting on authentication API.
- WT-2024-00XX: Below 90-day embargo as per VDP.
The above bugs affect QTS, the NAS working system on QNAP units, QuTScloud, the VM-optimized model of QTS, and QTS hero, a specialised model targeted on excessive efficiency.
QNAP has addressed CVE-2023-50361 by CVE-2023-50364 in a safety replace launched in April 2024, in variations QTS 5.1.6.2722 construct 20240402 and later, and QuTS hero h5.1.6.2734 construct 20240414 and later.
Nonetheless, all the opposite vulnerabilities found by WatchTowr stay unaddressed.
PoC for zero-day RCE
The QNAP CVE-2024-27130 vulnerability is triggered by the unsafe use of the ‘strcpy’ perform within the No_Support_ACL perform. This perform is utilized by the get_file_size request within the share.cgi script, used when sharing media with exterior customers.
An attacker can craft a malicious request with a specifically crafted ‘identify’ parameter, inflicting the buffer overflow resulting in distant code execution.
To use CVE-2024-27130, the attacker wants a sound ‘ssid’ parameter, which is generated when a NAS person shares a file from their QNAP machine.
This parameter is included within the URL of the ‘share’ hyperlink created on a tool, so an attacker can be required to use some social engineering to achieve entry to it. Nonetheless, BleepingComputer discovered that customers typically share these hyperlinks on-line, permitting them to be listed and retrieved from a easy Google search.
Supply: WatchTowr
In abstract, CVE-2024-27130 is not simple to use, but the SSID prerequisite could be met for decided actors.
WatchTowr revealed an exploit on GitHub, through which they exhibit how one can craft a payload that creates a ‘watchtowr’ account to a QNAP machine and provides them to the sudoers for elevated privileges.
BleepingComputer has contacted QNAP for an announcement on the disclosed flaws, however a remark wasn’t instantly accessible.
