Skip to the content.

DIVD-2023-00006 - Unauthenticated code injection in QNAP QTS and QuTS hero

Our reference DIVD-2023-00006
Case lead Stan Plasmeijer
Researcher(s)
CVE(s)
Product QNAP QTS and QNAP QuTS hero
Versions
  • QTS 5.0.1.2234 build 20221201 and later
  • QuTS hero h5.0.1.2248 build 20221215 and later
Recommendation If you have a vulnerable QTS or QuTS hero, update to the latest version.
Status Closed
Last modified 03 May 2023 19:33

Summary

A vulnerability has been found in QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. When exploited, it is possible for attackers to inject malicious code. QNAP has linked CWE-89 to this CVE. The CWE is related to ‘Improper Neutralization of Special Elements used in an SQL Command (or SQL injection)’. QTS 5.0.0, QTS 4.x.x, QuTS hero 5.0.0 and QuTS hero 4.5.x are not affected.

What you can do

Update your QTS or QuTS hero. This can be done by navigating to Control Panel > System > Firmware Update. Under Live Update, click Check for Update.

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding QNAP QTS and QNAP QuTS Hero instances and verifying their version and build number. The notificaiton will be sent to the party responsible for the ip address accoording to the whois database.

Timeline

Date Description
02 Feb 2023 DIVD starts researching fingerprint.
08 Feb 2023 DIVD conducts first scan.
09 Feb 2023 First scan finished, no vulnerable instances found.
15 Feb 2023 DIVD parsed the scan results of case DIVD-2022-00030. We didn’t find any devices running QTS 5.0.1 and QuTS hero h5.0.1
22 Mar 2023 DIVD conducts second scan.
22 Mar 2023 Second scan finished, no vulnerable instances found.
22 Mar 2023 DIVD closes case
gantt title DIVD-2023-00006 - Unauthenticated code injection in QNAP QTS and QuTS hero dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00006 - Unauthenticated code injection in QNAP QTS and QuTS hero (48 days) :2023-02-02, 2023-03-22 section Events DIVD starts researching fingerprint. : milestone, 2023-02-02, 0d DIVD conducts first scan. : milestone, 2023-02-08, 0d First scan finished, no vulnerable instances found. : milestone, 2023-02-09, 0d DIVD parsed the scan results of case DIVD-2022-00030. We didn’t find any devices running QTS 5.0.1 and QuTS hero h5.0.1 : milestone, 2023-02-15, 0d DIVD conducts second scan. : milestone, 2023-03-22, 0d Second scan finished, no vulnerable instances found. : milestone, 2023-03-22, 0d DIVD closes case : milestone, 2023-03-22, 0d

More information