PoC Exploit Released For QNAP Remote Code Execution Vulnerability

A critical remote code execution (RCE) vulnerability designated as CVE-2024-53691 has been identified in the QNAP QTS/QuTS hero operating system.

This vulnerability poses a significant risk, allowing remote attackers who have obtained user access to traverse the file system beyond intended boundaries. 

A Proof of Concept (PoC) exploit has been released, making it more essential for impacted users to apply the required fixes.

Understanding The Vulnerability

The significant RCE vulnerability, with a CVSS v4 score of 8.7, enables an attacker to upload a symlink (symbolic link) using a carefully crafted ZIP file.

Once uploaded, this symlink can be manipulated to exploit the encrypt/decrypt function of the system, granting the attacker an arbitrary file write capability.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

This write primitive can be leveraged to achieve remote code execution (RCE)—a serious vulnerability that allows an attacker to execute malicious code with the privileges of the root user.

An attacker gaining such access can effectively take complete control of the compromised system, leading to potential data breaches, system downtime, and extensive damage to the integrity of the affected environment.

The exploit mechanism is particularly concerning due to its reliance on common user privileges that many remote attackers may acquire.

Exploiting the Vulnerability – CVE-2024-53691

According to PoC, once a user-level access point is established, the malicious actor can execute the following steps to exploit the vulnerability:

• Craft a Malicious ZIP File: The attacker creates a ZIP container that includes a symlink pointing to sensitive files or directories within the QNAP system.
• Upload the ZIP File: By exploiting a vulnerable application endpoint, the attacker uploads the ZIP file to the QNAP device.
• Trigger the Decrypt Function: Utilizing the encrypt/decrypt functionality, the attacker triggers the system to process the ZIP file, which unwittingly follows the symlink to perform unauthorized file operations.
• Execute Code: Using the arbitrary file write capabilities gained from the exploit, the attacker deploys a payload that executes malicious code, effectively running with root privileges.

Affected Versions

QNAP has released essential fixes in response to this issue. The following versions have mitigated this risk:

QTS:

• 5.1.8.2823 (build 20240712) and later
• 5.2.0.2802 (build 20240620) and later

QuTS hero:

• h5.1.8.2823 (build 20240712) and later
• h5.2.0.2802 (build 20240620) and later

It is essential for users operating these systems to upgrade to the latest versions immediately to safeguard against potential exploits.

Users can download the updates from the official QNAP website or utilize the automated update feature within their systems.

As cyber threats continue to evolve, it’s imperative to stay informed about vulnerabilities and adopt proactive measures to protect sensitive data and systems from unauthorized access.

Users are encouraged to regularly consult security advisories from QNAP and related cybersecurity organizations to mitigate risks effectively.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar