DIVD-2024-00025 - QNAP - OS command injection as Admin user possible via quick.cgi

Our reference DIVD-2024-00025
Case lead Koen Schagen
Researcher(s)
  • Koen Schagen
CVE(s)
Products
  • QNAP QTS
  • QNAP QuTS hero
  • QNAP QuTScloud
Versions
  • QTS 5.x - versions before QTS 5.1.5.2645 build 20240116
  • QTS 4.5.x and 4.4.x - versions before QTS 4.5.4.2627 build 20231225
  • QTS 4.3.6 and 4.3.5 - versions before QTS 4.3.6.2665 build 20240131
  • QTS 4.3.4 - versions before QTS 4.3.4.2675 build 20240131
  • QTS 4.3.(0-3) - versions before QTS 4.3.3.2644 build 20240131
  • QTS 4.2.x - versions before QTS 4.2.6 build 20240131
  • QuTS hero h5.x - versions before QuTS hero h5.1.5.2647 build 20240118
  • QuTS hero h4.x - versions before QuTS hero h4.5.4.2626 build 20231225
  • QuTScloud c5.x - versions before QuTScloud c5.1.5.2651
Recommendation If you have a any of the vulnerable firmware/software version on your QNAP device, please update it to the latest version.
Patch status Released
Status Closed
Last modified 03 Oct 2024 21:51 CEST

Summary

Two (OS) command injection vulnerabilities have been found in QNAP devices. When exploited, it’s possible for attackers with network/internet access to execute CLI commands on your NAS device as admin users. QNAP has linked CWE-78 to both CVE’s. This is related to ‘Improper Neutralization of Special Elements used in an OS Command (“OS Command Injection”)’.

Recommendations

QNAP recommends upgrading to the latest version to benefit from vulnerability fixes. On the versions below, the mentioned vulnerabilities have been fixed:

DIVD recommends that you do not have this device reachable from the internet unless it is absolutely nessecary. If this is the case, a firewall rule should be placed in front of the QNAP device so that it can only be accessed from trusted IP addresses.

Please also check this QNAP page about their security advice titled take immediate-actions to stop your nas from exposure to the internet.

–> Especially have a look at “Step 2: Disable the UPnP function of the QNAP NAS”

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding QNAP devices connected to the internet and verifying if the quick.cgi file is available. The notifications will be sent to the party responsible for the IP address according to the Whois database.

Timeline

Date Description
07 Jun 2024 DIVD starts researching the vulnerabilities.
17 Jun 2024 DIVD found a way to fingerprint vulnerable devices
20 Jun 2024 First version of this casefile
20 Jun 2024 DIVD starts scanning the internet for vulnerable devices
24 Jun 2024 DIVD starts notifying network owners with a vulnerable device in their network.
30 Sep 2024 DIVD completed rescan and send out notications
03 Oct 2024 Case closed
gantt title DIVD-2024-00025 - QNAP - OS command injection as Admin user possible via quick.cgi dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00025 - QNAP - OS command injection as Admin user possible via quick.cgi (118 days) :2024-06-07, 2024-10-03 section Events DIVD starts researching the vulnerabilities. : milestone, 2024-06-07, 0d DIVD found a way to fingerprint vulnerable devices : milestone, 2024-06-17, 0d First version of this casefile : milestone, 2024-06-20, 0d DIVD starts scanning the internet for vulnerable devices : milestone, 2024-06-20, 0d DIVD starts notifying network owners with a vulnerable device in their network. : milestone, 2024-06-24, 0d DIVD completed rescan and send out notications : milestone, 2024-09-30, 0d Case closed : milestone, 2024-10-03, 0d

More information