QNAP has released a series of patches addressing critical vulnerabilities affecting QTS and QuTS hero systems, which could be exploited to execute code on their Network Attached Storage (NAS) devices.
The issues affecting QTS 5.1.x and QuTS hero h5.1.x are as follows:
- CVE-2024-21902: Improper permissions in critical resource handling, allowing authenticated users to read or modify resources over the network.
- CVE-2024-27127: Double-free vulnerability, enabling authenticated users to execute arbitrary code over the network.
- CVE-2024-27128, CVE-2024-27129, and CVE-2024-27130: A set of buffer overflow vulnerabilities, permitting authenticated users to execute arbitrary code over the network.
These vulnerabilities require valid accounts on the NAS devices and have been fixed in versions QTS 5.1.7.277020240520 and QuTS hero h5.1.7.277020240520. Discovered and reported by Aliz Hammond of WatchTowr Labs on January 3, 2024, CVE-2024-27130 specifically involves insecure usage of the ‘strcpy’ function in the No_Support_ACL function, used by the ‘get_file_size’ request in the share.cgi script when sharing media with external users.
QNAP noted that all versions of QTS 4.x and 5.x enable Address Space Layout Randomization (ASLR), making it challenging for attackers to exploit these vulnerabilities.
These patches were released four days after a detailed disclosure of 15 vulnerabilities by a Singapore-based cybersecurity firm, including four allowing unauthorized code execution bypassing authentication. These vulnerabilities are identified as CVE-2023-50361 to CVE-2023-50364, disclosed in December 2023 and fixed by QNAP on April 25, 2024.
It’s noteworthy that QNAP has not yet released a fix for CVE-2024-27131, described by WatchTowr as potentially allowing download records to be spoofed via ‘x-forwarded-for’ logs. QNAP plans to address this through design changes in the QuLog center UI specifications, expected in QTS 5.2.0.
Details on the other four vulnerabilities reported by WatchTowr are currently withheld, with three under review and one assigned a CVE ID for fixing in an upcoming release.
In response, QNAP expressed regret over coordination issues and pledged to release fixes for high or critical severity vulnerabilities within 45 days, with medium severity fixes expected within 90 days.
QNAP added, “We apologize for any inconvenience this may cause and remain committed to enhancing our security measures. Our goal is to collaborate closely with global researchers to ensure the highest quality security for our products.”
Given past incidents of ransomware attacks exploiting QNAP NAS devices, users are advised to update promptly to the latest versions of QTS and QuTS hero to mitigate potential threats.