DIVD-2023-00006 - Unauthenticated code injection in QNAP QTS and QuTS hero
| Our reference | DIVD-2023-00006 |
| Case lead | Stan Plasmeijer |
| Researcher(s) | |
| CVE(s) | |
| Product | QNAP QTS and QNAP QuTS hero |
| Versions |
|
| Recommendation | If you have a vulnerable QTS or QuTS hero, update to the latest version. |
| Status | Closed |
| Last modified | 03 May 2023 19:33 CEST |
Summary
A vulnerability has been found in QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. When exploited, it is possible for attackers to inject malicious code. QNAP has linked CWE-89 to this CVE. The CWE is related to ‘Improper Neutralization of Special Elements used in an SQL Command (or SQL injection)’. QTS 5.0.0, QTS 4.x.x, QuTS hero 5.0.0 and QuTS hero 4.5.x are not affected.
What you can do
Update your QTS or QuTS hero. This can be done by navigating to Control Panel > System > Firmware Update. Under Live Update, click Check for Update.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding QNAP QTS and QNAP QuTS Hero instances and verifying their version and build number. The notificaiton will be sent to the party responsible for the ip address accoording to the whois database.
Timeline
| Date | Description |
|---|---|
| 02 Feb 2023 | DIVD starts researching fingerprint. |
| 08 Feb 2023 | DIVD conducts first scan. |
| 09 Feb 2023 | First scan finished, no vulnerable instances found. |
| 15 Feb 2023 | DIVD parsed the scan results of case DIVD-2022-00030. We didn’t find any devices running QTS 5.0.1 and QuTS hero h5.0.1 |
| 22 Mar 2023 | DIVD conducts second scan. |
| 22 Mar 2023 | Second scan finished, no vulnerable instances found. |
| 22 Mar 2023 | DIVD closes case |