Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Hackers Are Targeting a Three-Year Old Vulnerability in QNAP NAS Devices

Recent attacks targeting QNAP Network Attached Storage (NAS) devices were attempting to exploit a vulnerability that was addressed in July 2017, 360 Netlab security researchers say. 

Recent attacks targeting QNAP Network Attached Storage (NAS) devices were attempting to exploit a vulnerability that was addressed in July 2017, 360 Netlab security researchers say. 

The attacker, 360 Netlab says, shows caution in exploiting the security flaw. However, the researchers were able to identify two attacker IPs, namely 219.85.109[.]140 and 103.209.253[.]252, both of which use the same payload. 

Following successful exploitation, a file from http[:]//165.227[.]39.105:8096/aaa is fetched. Analysis of the 165[.][227.39.105 host revealed the presence of SSH, Metasploit, Apache httpd, and other services.

Analysis of the QNAP NAS vulnerability revealed that it resides in the CGI program /httpd/cgi-bin/authLogout.cgi, which is used when users log out, and which selects a logout function based on the field name in the cookie. 

“The problem is QPS_SID, QMS_SID and QMMS_SID does not filter special characters and directly calls the snprintf function to splice curl command string and calls the system function to run the string, thus making command injection possible,” 360 Netlab explains. 

After coming up with proof-of-concept code, the researchers contacted the vendor, on May 13. The vendor replied on August 12, revealing that the security bug had been addressed three years ago. Version 4.3.3 of the firmware includes the fix. 

“This release replaced the system function with qnap_exec, and the qnap_exec function is defined in the /usr/lib/libuLinux_Util.so.0. By using the execv to execute custom command, command injection has been avoided,” the researchers say. 

Despite the availability of a firmware update since July 2017, however, unpatched devices connected to a network still exist. 

“We recommend that QNAP NAS users check and update their firmwares in a timely manner and also check for abnormal processes and network connections,” the researchers say. 

Related: US, UK Warn of Malware Targeting QNAP NAS Devices

Related: Vulnerabilities Exposed Hundreds of Thousands of QNAP NAS Devices

Related: Ransomware Targets QNAP Linux Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.