Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

QNAP Rushes Patch for Code Execution Flaw in NAS Devices

QNAP rolls out patches for multiple vulnerabilities after proof-of-concept exploit published for a remote code execution vulnerability.

Taiwan-based QNAP Systems on Tuesday rolled out patches for multiple vulnerabilities in its Network Attached Storage (NAS) devices, including a bug for which proof-of-concept code was published last week.

The issue, tracked as CVE-2024-27130, is described as the unsafe “use of the ‘strcpy’ function in the No_Support_ACL function, which is utilized by the get_file_size request in the share.cgi script.”

The script is used when a user shares files with external users, and successful exploitation of the vulnerability requires an attacker to obtain the ‘ssid’ parameter generated when the NAS user shares a file.

According to WatchTowr, the vulnerability leads to a stack buffer overflow and can be used for remote code execution. The cybersecurity firm, which has shared technical details on CVE-2024-27130, also published POC code targeting devices with Address Space Layout Randomization (ASLR) mitigation disabled.

Since ASLR is enabled by default on all QNAP devices running QTS 4.x and 5.x, the successful exploitation of the bug is significantly more difficult.

QNAP resolved the flaw with the release of QTS 5.1.7.2770 build 20240520 and QuTS hero h5.1.7.2770 build 20240520, which also address four other vulnerabilities reported by WatchTowr.

“ASLR significantly increases the difficulty for an attacker to exploit this vulnerability. Therefore, we have assessed its severity as Medium. Nonetheless, we strongly recommend users update to QTS 5.1.7 / QuTS hero h5.1.7 as soon as it becomes available to ensure their systems are protected,” QNAP said on Tuesday.

WatchTowr disclosed a total of 15 vulnerabilities in QNAP’s devices over the past half a year: 14 were reported in December 2023 and January 2024 and another one was reported on May 11.

Advertisement. Scroll to continue reading.

The vendor patched four of these in late April, and five more with the May 21 updates, when it also announced that two other issues will be addressed with upcoming updates. QNAP says it has yet to confirm three other flaws.

“We regret any coordination issues that may have occurred between the product release schedule and the disclosure of these vulnerabilities. We are taking steps to improve our processes and coordination in the future to prevent such issues from arising again,” QNAP said, in response to WatchTowr disclosing the flaws before patches were rolled out.

WatchTowr gave the vendor several extensions over the industry-standard 90-day period mentioned in its vulnerability disclosure program.

“Moving forward, for vulnerabilities triaged as High or Critical severity, we commit to completing remediation and releasing fixes within 45 days. For Medium severity vulnerabilities, we will complete remediation and release fixes within 90 days,” QNAP added.

Users are advised to update to the latest QTS and QuTS hero releases as soon as possible. Threat actors are known to have exploited QNAP vulnerabilities for which patches had been released.

Related: Critical Vulnerability Allows Access to QNAP NAS Devices

Related: QNAP Patches High-Severity Bugs in QTS, Qsync Central

Related: QNAP Patches High-Severity Flaws in QTS, Video Station Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider Horizon3.ai.

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights