QNAP 0-day Flaw : 289,000+ Devices Found Vulnerable

Last week, QNAP released a security advisory in which multiple vulnerabilities were fixed in QTS, QuTS hero and QuTScloud products.

The vulnerabilities were assigned with CVE-2023-47218 and CVE-2023-50358. The severity of these vulnerabilities were given as 5.8 (Medium).

However, it has been discovered that there were a total of 289,665 vulnerable devices that are potentially exploitable by threat actors.

Document
Protect Your Network From Data Breach

Perimeter’s 81 Malware Protection for Network Based Threats

Prevent malware from infecting your network at the delivery stage by intercepting malicious files in transit from their source to the target device’s web browser. .

These devices most existed in Germany, USA, China, Italy, Japan, Taiwan, France, and several other nations.

Vulnerable Devices based on Country (Source: Unit 42)

QNAP 0-day Flaw

Palo Alto said that, this vulnerability is associated with a command injection which exists in the quick.cgi component of QNAP QTS firmware that can be accessed without authentication. QNAP QTS stands for (QNAP Turbo network attached storage System). 

When setting the HTTP parameter todo=set_timeinfo, the quick.cgi request handler saves the value of the parameter SPECIFIC_SERVER into the configuration file /tmp/quick/quick_tmp.conf under the name NTP Address.

After this, the quick.cgi component starts time synchronization with the ntpdate utility where the command-line execution happens.

This utility reads the NTP Address in the quick_tmp.conf file which is then executed using system().

This means that if an untrusted input is provided in the SPECIFIC_SERVER parameter, it is passed through the phases and executed via system() resulting in an arbitrary command execution on the vulnerable device.

Testing for exploitation (Source: Unit 42)

Mitigation

In order to mitigate this vulnerability, users can follow the below mentioned steps

  • Test the URL: https://<NAS IP address>:<NAS system port>/cgi-bin/quick/quick.cgi on the browser
  • If there is a HTTP 404 Error, the device is not vulnerable. If there is a “Page Not Found” or “the web server is currently available”, there is a possibility of vulnerability on the device.
  • If there is an empty page with HTTP 200 response, the following steps are recommended:
    • Update your operating system to one of the following versions or later:
      • QTS 5.0.0.1986 build 20220324 or later
      • QTS 4.5.4.2012 build 20220419 or later
      • QuTS h5.0.0.1986 build 20220324 or later
      • QuTS h4.5.4.1991 build 20220330 or later
  • Retest the same URL on the web browser. If the result is an HTTP 404 error, the device is secured.
  • If the HTTP 200 response still persists, contacting QNAP technical support is advised.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.