DIVD-2024-00025 - QNAP - OS command injection as Admin user possible via quick.cgi

Summary

Two (OS) command injection vulnerabilities have been found in QNAP devices. When exploited it’s possible for attackers with network/internet access to execute CLI commands on your NAS device as an admin user. QNAP has linked CWE-78 to both CVE’s. This is related to ‘Improper Neutralization of Special Elements used in an OS Command (“OS Command Injection”)’.

Recommendations

QNAP recommends to upgrade to the latest version, to benefit from vulnerability fixes. On the versions below, the mentioned vulnerabilities have been fixed:

• QTS 5.x - QTS 5.1.5.2645 build 20240116 and later
• QTS 4.5.x and 4.4.x - QTS 4.5.4.2627 build 20231225 and later
• QTS 4.3.6 and 4.3.5 - QTS 4.3.6.2665 build 20240131 and later
• QTS 4.3.4 - QTS 4.3.4.2675 build 20240131 and later
• QTS 4.3.(0-3) - QTS 4.3.3.2644 build 20240131 and later
• QTS 4.2.x - QTS 4.2.6 build 20240131 and later
• QuTS hero h5.x - QuTS hero h5.1.5.2647 build 20240118 and later
• QuTS hero h4.x - QuTS hero h4.5.4.2626 build 20231225 and later
• QuTScloud c5.x - QuTScloud c5.1.5.2651 and later

DIVD recommends that you do not have this device reachable from the internet unless it is absolutely nessecary. If this is the case, a firewall rule should be placed in front of the QNAP device so that it can only be accessed from trusted IP addresses.

Please check also this QNAP page about their security advice tilted take immediate-actions to stop your nas from exposing to the internet.

–> Specially have a look at “Step 2: Disable the UPnP function of the QNAP NAS”

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding QNAP devices connected to the internet and verifying if the quick.cgi file is available. The notifications will be sent to the party responsible for the ip address according to the whois database.

Timeline

More information

• CVE-2023-47218
• CVE-2023-50358
• QNAP Security Advisory 23-57