Skip to the content.

DIVD-2024-00016 - Command injection vulnerabilities in QNAP devices

Our reference DIVD-2024-00016
Case lead Stan Plasmeijer
Author Koen Schagen
Researcher(s)
  • Koen Schagen
CVE(s)
Products
  • QNAP QTS
  • QNAP QuTS hero
  • QNAP QuTScloud
Versions
  • QTS 5.x - versions before QTS 5.1.3.2578 build 20231110
  • QTS 4.5.x - versions before QTS 4.5.4.2627 build 20231225
  • QuTS hero h5.x - versions before QuTS hero h5.1.3.2578 build 20231110
  • QuTS hero h4.5.x - versions before QuTS hero h4.5.4.2626 build 20231225
  • QuTScloud c5.x - versions before QuTScloud c5.1.5.2651 and later
Recommendation If you have a any of the vulnerable firmware/software version on your QNAP device, please update it to the latest version.
Patch status Released
Status Open
Last modified 23 May 2024 23:31

Summary

Several (OS) command injection has been found in QNAP devices, when exploited it’s possible for attackers to execute commands via a network. QNAP has linked CWE-78 to all mentioned CVE’s. This is related to ‘Improper Neutralization of Special Elements used in an OS Command (“OS Command Injection”)’.

Recommendations

QNAP recommends to upgrade to the latest version, to benefit from vulnerability fixes. On the versions below, the mentioned vulnerabilities have been fixed:

DIVD recommends considering whether it is necessary to have the device listening to the Internet. Firewall rules could possibly be placed in front of the QNAP device so that it can only be accessed from trusted IP addresses.

Please check also this QNAP page about their security advice: take-immediate-actions-to-stop-your-nas-from-exposing-to-the-internet

–> Specially have a look at “Step 2: Disable the UPnP function of the QNAP NAS”

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding QNAP devices connected to the internet and verifying their version and build number. The notifications will be sent to the party responsible for the ip address according to the whois database.

Timeline

Date Description
30 Apr 2024 DIVD starts researching the vulnerabilities.
01 May 2024 DIVD found a way to fingerprint vulnerable devices
04 May 2024 First version of this casefile
04 May 2024 DIVD starts scanning the internet for vulnerable instances
23 May 2024 First round of notifications sent to about 4000 hosts
gantt title DIVD-2024-00016 - Command injection vulnerabilities in QNAP devices dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00016 - Command injection vulnerabilities in QNAP devices (still open) :2024-04-30, 2024-06-24 section Events DIVD starts researching the vulnerabilities. : milestone, 2024-04-30, 0d DIVD found a way to fingerprint vulnerable devices : milestone, 2024-05-01, 0d First version of this casefile : milestone, 2024-05-04, 0d DIVD starts scanning the internet for vulnerable instances : milestone, 2024-05-04, 0d First round of notifications sent to about 4000 hosts : milestone, 2024-05-23, 0d

More information