Recent attacks targeting QNAP Network Attached Storage (NAS) devices were attempting to exploit a vulnerability that was addressed in July 2017, 360 Netlab security researchers say.
The attacker, 360 Netlab says, shows caution in exploiting the security flaw. However, the researchers were able to identify two attacker IPs, namely 219.85.109[.]140 and 103.209.253[.]252, both of which use the same payload.
Following successful exploitation, a file from http[:]//165.227[.]39.105:8096/aaa is fetched. Analysis of the 165[.][227.39.105 host revealed the presence of SSH, Metasploit, Apache httpd, and other services.
Analysis of the QNAP NAS vulnerability revealed that it resides in the CGI program /httpd/cgi-bin/authLogout.cgi, which is used when users log out, and which selects a logout function based on the field name in the cookie.
“The problem is QPS_SID, QMS_SID and QMMS_SID does not filter special characters and directly calls the snprintf function to splice curl command string and calls the system function to run the string, thus making command injection possible,” 360 Netlab explains.
After coming up with proof-of-concept code, the researchers contacted the vendor, on May 13. The vendor replied on August 12, revealing that the security bug had been addressed three years ago. Version 4.3.3 of the firmware includes the fix.
“This release replaced the system function with qnap_exec, and the qnap_exec function is defined in the /usr/lib/libuLinux_Util.so.0. By using the execv to execute custom command, command injection has been avoided,” the researchers say.
Despite the availability of a firmware update since July 2017, however, unpatched devices connected to a network still exist.
“We recommend that QNAP NAS users check and update their firmwares in a timely manner and also check for abnormal processes and network connections,” the researchers say.