DIVD-2024-00016 - Command injection vulnerabilities in QNAP devices
| Our reference | DIVD-2024-00016 |
| Case lead | Stan Plasmeijer |
| Author | Koen Schagen |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | If you have a any of the vulnerable firmware/software version on your QNAP device, please update it to the latest version. |
| Patch status | Released |
| Status | Open |
| Last modified | 21 Oct 2024 17:45 CEST |
Summary
Several (OS) command injection vulnerabilities have been found in QNAP devices. When exploited it’s possible for attackers with netowrk access to the device to execute commands. QNAP has linked CWE-78 to all mentioned CVE’s. This is related to ‘Improper Neutralization of Special Elements used in an OS Command (“OS Command Injection”)’.
Recommendations
QNAP recommends to upgrade to the latest version, to benefit from vulnerability fixes. On the versions below, the mentioned vulnerabilities have been fixed:
- QTS 5.x - QTS 5.1.3.2578 build 20231110 and later
- QTS 4.5.x - QTS 4.5.4.2627 build 20231225 and later
- QuTS hero h5.x - QuTS hero h5.1.3.2578 build 20231110 and later
- QuTS hero h4.5.x - QuTS hero h4.5.4.2626 build 20231225 and later
- QuTScloud c5.x - QuTScloud c5.1.5.2651 and later
DIVD recommends that you do not have this device reachable from the internet unless it is absolutely nessecary. If this is the case, a firewall rule should be placed in front of the QNAP device so that it can only be accessed from trusted IP addresses.
Please check also this QNAP page about their security advice tilted take immediate-actions to stop your nas from exposing to the internet.
–> Specially have a look at “Step 2: Disable the UPnP function of the QNAP NAS”
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding QNAP devices connected to the internet and verifying their version and build number. The notifications will be sent to the party responsible for the ip address according to the whois database.
Timeline
| Date | Description |
|---|---|
| 30 Apr 2024 | DIVD starts researching the vulnerabilities. |
| 01 May 2024 | DIVD found a way to fingerprint vulnerable devices |
| 04 May 2024 | First version of this casefile |
| 04 May 2024 | DIVD starts scanning the internet for vulnerable instances |
| 23 May 2024 | First round of notifications sent out |
| 18 Jun 2024 | Improved fingerprint to include older devices |
| 20 Jun 2024 | Rescan executed and second round of notifications sent |
| 15 Oct 2024 | Rescan executed and third round of notifications sent |
| 21 Oct 2024 | Case closed |