Researchers have found 15 vulnerabilities in QNAP’s network attached storage (NAS) devices, and have released a proof-of-concept for one: an unauthenticated stack overflow vulnerability (CVE-2024-27130) that may be leveraged for remote code execution.
The vulnerabilities and the CVE-2024-27130 PoC
“With a codebase bearing some long 10+ year legacy, and a long history of security weaknesses,” QNAP’s QTS operating system and its “variants” (QuTSCloud and QTS hero) enticed WatchTowr Labs researchers to probe for vulnerabilities.
“Given the shared-access model of the NAS device, which permits sharing files with specific users, both authenticated and unauthenticated bugs were of interest to us,” they said.
They ended up discovering 15, ranging from missing/incorrect authentication and buffer and heap overflows to log spoofing and stored cross-site scripting bugs.
CVE-2024-27130 – the vulnerability for which they released a PoC exploit (that only works on a QNAP device where address space layout randomization has been manually disabled) – may allow an attacker to trigger a buffer overflow by sending a request with a specially crafted name parameter.
A requirement for a successful attack is knowing the correct ssid parameter to use, and the researchers have figured out how to get it: it can be extracted from a link generated when a NAS user shares a file with a user who doesn’t have a NAS account.
“While this limits the usefulness of the bug a little – true unauthenticated bugs are much more fun! – it’s a completely realistic attack scenario that a NAS user has shared a file with an untrusted user,” they noted.
“We can, of course, verify this expectation by turning to a quick-and-dirty google dork, which finds a whole bunch of ssids, verifying our assumption that sharing a file with the entire world is something that is done frequently by NAS users.”
Update your NAS regularly
QNAP NAS devices are popular with small-and-medium sized business, enterprises, as well as ransomware gangs. While the former are using them to store their data, the latter love them because they can encrypt sensitive data and hold it to ransom.
The researchers reported the vulnerabilities to QNAP in December 2023 and January 2024, and QNAP has finally begun releasing fixes in April 2024 (for CVE-2023-50361 to CVE-2023-50364).
Another batch – encompassing CVE-2024-21902 and CVE-2024-27127 to CVE-2024-27130 – has been addressed in QTS 5.1.7.2770 build 20240520 and later and QuTS hero h5.1.7.2770 build 20240520 and later, released today.
Other fixes are likely in the works and may take some time, as some of the issues are rather complex. WatchTowr Labs says they will publish more info about the discovered bugs at a later date.
Admins are advised to regularly update their systems, to mitigate the risk of exploitation of these and other holes that get privately disclosed or exploited as zero-days.