Taiwanese organization QNAP has rolled out fixes for a set of medium-severity flaws impacting QTS and QuTS hero, some of which could be exploited to achieve code execution on its network-attached storage (NAS) appliances.
The issues, which impression QTS 5.1.x and QuTS hero h5.1.x, are mentioned below –
- CVE-2024-21902 – An incorrect permission assignment for critical source vulnerability that could permit authenticated end users to study or modify the resource through a network
- CVE-2024-27127 – A double totally free vulnerability that could permit authenticated users to execute arbitrary code through a network
- CVE-2024-27128, CVE-2024-27129, and CVE-2024-27130 – A established of buffer overflow vulnerabilities that could let authenticated end users to execute arbitrary code by way of a network
All the shortcomings, that require a valid account on NAS devices, have been resolved in QTS 5.1.7.2770 develop 20240520 and QuTS hero h5.1.7.2770 build 20240520. Aliz Hammond of watchTowr Labs has been credited with finding and reporting the flaws on January 3, 2024.
“The CVE-2024-27130 vulnerability, which has been noted beneath WatchTowr ID WT-2023-0054, is brought on by the unsafe use of the ‘strcpy’ functionality in the No_Help_ACL functionality, which is used by the get_file_sizing request in the share.cgi script,” QNAP stated.
“This script is employed when sharing media with exterior people. To exploit this vulnerability, an attacker needs a valid ‘ssid’ parameter, which is created when a NAS user shares a file from their QNAP unit.”
It also pointed out that all QTS 4.x and 5.x versions have Address Space Structure Randomization (ASLR) enabled, creating it difficult for an attacker to exploit the vulnerability.
The patches arrived 4 days soon after the Singapore-based mostly cybersecurity enterprise unveiled details about a full of 15 vulnerabilities, including 4 separate bugs that could be weaponized to bypass authentication and execute arbitrary code.
The vulnerabilities โ tracked from CVE-2023-50361 by CVE-2023-50364 โ ended up resolved by QNAP on April 25, 2024, subsequent disclosure in December 2023.
It’s really worth noting that the business has nonetheless to release fixes for CVE-2024-27131, which has been explained by watchTowr as a case of “Log spoofing by means of x-forwarded-for [that] lets users to induce downloads to be recorded as asked for from arbitrary supply place.”
QNAP said CVE-2024-27131 is not an actual vulnerability but relatively a style choice that involves a alter in the UI specs in the QuLog Heart. This is expected to be remediated in QTS 5.2..
Details about four other vulnerabilities documented by watchTowr are at present withheld, with three of them now under overview. The fourth issue has been assigned a CVE ID and will be mounted in the approaching release.
watchTowr mentioned it was forced to go community with the flaws very last week soon after QNAP failed to handle them within the stipulated 90-working day public disclosure interval and that it was generous by providing the organization “several extensions” to give the enterprise enough time.
In reaction, QNAP said it regretted the coordination issues, stating it’s committing to releasing fixes for significant- or critical-severity flaws within just 45 days. Fixes for medium-severity vulnerabilities will be unveiled inside 90 times.
“We apologize for any inconvenience this could have brought on and are dedicated to enhancing our security measures consistently,” it additional. “Our objective is to perform closely with researchers worldwide to ensure the greatest high-quality of security for our products and solutions.”
With vulnerabilities in QNAP NAS devices exploited in the past by ransomware attackers, consumers are recommended to the most up-to-date variations of QTS and QuTS hero as quickly as doable to mitigate opportunity threats.
Located this report exciting? Observe us on Twitter ๏ and LinkedIn to read through more exclusive content we put up.
Some parts of this article are sourced from:
thehackernews.com