Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Hackers Are Targeting a Three-Year Old Vulnerability in QNAP NAS Devices

Recent attacks targeting QNAP Network Attached Storage (NAS) devices were attempting to exploit a vulnerability that was addressed in July 2017, 360 Netlab security researchers say. 

Recent attacks targeting QNAP Network Attached Storage (NAS) devices were attempting to exploit a vulnerability that was addressed in July 2017, 360 Netlab security researchers say. 

The attacker, 360 Netlab says, shows caution in exploiting the security flaw. However, the researchers were able to identify two attacker IPs, namely 219.85.109[.]140 and 103.209.253[.]252, both of which use the same payload. 

Following successful exploitation, a file from http[:]//165.227[.]39.105:8096/aaa is fetched. Analysis of the 165[.][227.39.105 host revealed the presence of SSH, Metasploit, Apache httpd, and other services.

Analysis of the QNAP NAS vulnerability revealed that it resides in the CGI program /httpd/cgi-bin/authLogout.cgi, which is used when users log out, and which selects a logout function based on the field name in the cookie. 

“The problem is QPS_SID, QMS_SID and QMMS_SID does not filter special characters and directly calls the snprintf function to splice curl command string and calls the system function to run the string, thus making command injection possible,” 360 Netlab explains. 

After coming up with proof-of-concept code, the researchers contacted the vendor, on May 13. The vendor replied on August 12, revealing that the security bug had been addressed three years ago. Version 4.3.3 of the firmware includes the fix. 

“This release replaced the system function with qnap_exec, and the qnap_exec function is defined in the /usr/lib/libuLinux_Util.so.0. By using the execv to execute custom command, command injection has been avoided,” the researchers say. 

Despite the availability of a firmware update since July 2017, however, unpatched devices connected to a network still exist. 

Advertisement. Scroll to continue reading.

“We recommend that QNAP NAS users check and update their firmwares in a timely manner and also check for abnormal processes and network connections,” the researchers say. 

Related: US, UK Warn of Malware Targeting QNAP NAS Devices

Related: Vulnerabilities Exposed Hundreds of Thousands of QNAP NAS Devices

Related: Ransomware Targets QNAP Linux Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Cloud networking firm Aviatrix has named John Qian as CISO.

CrowdStrike has appointed Kartik Shahani as vice president of India and SAARC.

Jill Popelka has been appointed CEO at Darktrace, after serving as COO for three months.

More People On The Move

Expert Insights