DIVD-2023-00006 - Unauthenticated code injection in QNAP QTS and QuTS hero
| Our reference | DIVD-2023-00006 |
| Case lead | Stan Plasmeijer |
| Researcher(s) |
|
| CVE(s) | |
| Product | QNAP QTS and QNAP QuTS hero |
| Versions |
|
| Recommendation | If you have a vulnerable QTS or QuTS hero, update to the latest version. |
| Status | Open |
| Last modified | 07 Feb 2023 11:20 |
Summary
A vulnerability has been found in QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. When exploited, it is possible for attackers to inject malicious code. QNAP has linked CWE-89 to this CVE. The CWE is related to ‘Improper Neutralization of Special Elements used in an SQL Command (or SQL injection)’. QTS 5.0.0, QTS 4.x.x, QuTS hero 5.0.0 and QuTS hero 4.5.x are not affected.
What you can do
Update your QTS or QuTS hero. This can be done by navigating to Control Panel > System > Firmware Update. Under Live Update, click Check for Update.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding QNAP QTS and QNAP QuTS Hero instances and verifying their version and build number. The notificaiton will be sent to the party responsible for the ip address accoording to the whois database.
Timeline
| Date | Description |
|---|---|
| 02 Feb 2023 | DIVD starts researching fingerprint. |