Taiwanese firm QNAP has rolled out fixes for a set of medium-severity flaws impacting QTS and QuTS hero, a few of which could possibly be exploited to attain code execution on its network-attached storage (NAS) home equipment.
The problems, which influence QTS 5.1.x and QuTS hero h5.1.x, are listed under –
- CVE-2024-21902 – An incorrect permission task for essential useful resource vulnerability that might permit authenticated customers to learn or modify the useful resource through a community
- CVE-2024-27127 – A double free vulnerability that might permit authenticated customers to execute arbitrary code through a community
- CVE-2024-27128, CVE-2024-27129, and CVE-2024-27130 – A set of buffer overflow vulnerabilities that might permit authenticated customers to execute arbitrary code through a community
All of the shortcomings, that require a legitimate account on NAS gadgets, have been addressed in QTS 5.1.7.2770 construct 20240520 and QuTS hero h5.1.7.2770 construct 20240520. Aliz Hammond of watchTowr Labs has been credited with discovering and reporting the issues on January 3, 2024.
“The CVE-2024-27130 vulnerability, which has been reported below WatchTowr ID WT-2023-0054, is attributable to the unsafe use of the ‘strcpy’ operate within the No_Support_ACL operate, which is utilized by the get_file_size request within the share.cgi script,” QNAP stated.
“This script is used when sharing media with exterior customers. To use this vulnerability, an attacker requires a legitimate ‘ssid’ parameter, which is generated when a NAS consumer shares a file from their QNAP machine.”
It additionally identified that every one QTS 4.x and 5.x variations have Tackle Area Format Randomization (ASLR) enabled, making it tough for an attacker to use the vulnerability.
The patches arrived 4 days after the Singapore-based cybersecurity firm launched particulars a few complete of 15 vulnerabilities, together with 4 separate bugs that could possibly be weaponized to bypass authentication and execute arbitrary code.
The vulnerabilities – tracked from CVE-2023-50361 by means of CVE-2023-50364 – have been resolved by QNAP on April 25, 2024, following disclosure in December 2023.
It is value noting that the corporate has but to launch fixes for CVE-2024-27131, which has been described by watchTowr as a case of “Log spoofing through x-forwarded-for [that] permits customers to trigger downloads to be recorded as requested from arbitrary supply location.”
QNAP stated CVE-2024-27131 will not be an precise vulnerability however quite a design selection that requires a change within the UI specs throughout the QuLog Heart. That is anticipated to be remediated in QTS 5.2.0.
Particulars about 4 different vulnerabilities reported by watchTowr are presently withheld, with three of them presently below evaluation. The fourth subject has been assigned a CVE ID and might be mounted within the upcoming launch.
watchTowr stated it was pressured to go public with the issues final week after QNAP failed to handle them throughout the stipulated 90-day public disclosure interval and that it was beneficiant by giving the corporate “a number of extensions” to present the corporate sufficient time.
In response, QNAP stated it regretted the coordination points, stating it is committing to releasing fixes for high- or critical-severity flaws inside 45 days. Fixes for medium-severity vulnerabilities might be launched inside 90 days.
“We apologize for any inconvenience this may occasionally have induced and are dedicated to enhancing our security measures constantly,” it added. “Our objective is to work carefully with researchers worldwide to make sure the best high quality of security for our merchandise.”
With vulnerabilities in QNAP NAS gadgets exploited prior to now by ransomware attackers, customers are really useful to the most recent variations of QTS and QuTS hero as quickly as attainable to mitigate potential threats.
