Network-attached storage (NAS) specialist QNAP has disclosed and released fixes for two new vulnerabilities, one of them a zero-day discovered in early November.
The Taiwanese company’s coordinated disclosure of the issues with researchers at Unit 42 by Palo Alto Networks has, however, led to some confusion over the severity of the security problem.
QNAP assigned CVE-2023-50358 a middling 5.8-out-of-10 severity score, the breakdown of which revealed it was classified as a high-complexity attack that would have a low impact if exploited successfully.
Unit 42’s assessment, on the other hand, was the polar opposite: “These remote code execution vulnerabilities affecting IoT devices exhibit a combination of low attack complexity and critical impact, making them an irresistible target for threat actors. As a result, protecting IoT devices against such threats is an urgent task.”
The German Federal Office for Information Security (BSI) also released an emergency alert today warning that successful exploits could lead to “major damage,” encouraging users to apply patches quickly.
At the time of writing, the National Vulnerability Database (NVD) is still working to assign the vulnerability an independent rating.
Typically, command injection vulnerabilities that are easy to exploit tend to attract severity scores at the higher end of the scale, so it will be interesting to see what the NVD’s score ends up being.
According to Unit42’s internet scans of vulnerable devices carried out in mid-January, 289,665 separate IP addresses registered a vulnerable, public-facing device.
Germany and the US were the most exposed, with 42,535 and 36,865 vulnerable devices respectively, while China, Italy, Japan, Taiwan, and France trailed each with over 10,000 devices exposed.
Exploiting CVE-2023-50358
Unlike QNAP, Unit 42 published a technical breakdown of CVE-2023-50358 and how to exploit the vulnerability.
It’s classed as a command injection flaw in the quick.cgi component of QNAP’s QTS firmware, which runs on most of its NAS devices.
“While setting the HTTP request parameter todo=set_timeinfo, the request handler in quick.cgi saves the value of the parameter SPECIFIC_SERVER into a configuration file /tmp/quick/quick_tmp.conf with the entry name NTP Address,” the researchers explained.
"After writing the NTP server address, the component starts time synchronization using the ntpdate utility. The command-line execution is built by reading the NTP Address in quick_tmp.conf, and this string is then executed using system().
“Untrusted data from the SPECIFIC_SERVER parameter is therefore used to build a command line to be executed in the shell resulting in arbitrary command execution.”
Double up
QNAP’s advisory also detailed fixes for a second command injection flaw, CVE-2023-47218, which was reported by Stephen Fewer, principal security researcher at Rapid7, and has also been given the same 5.8 severity score.
The advisory itself combines both vulnerabilities and provides technical details for neither, so it’s difficult to determine what the differences are from this alone.
Rapid7’s advisory, however, provides extensive detail on how CVE-2023-47218 also lies in the quick.cgi component, allowing for command injection, and how it can feasibly be exploited using a specially crafted HTTP POST request.
Details of the disclosure timeline also offered a glimpse at what appears to be a slightly ticked-off Rapid7 after QNAP went silent and published its patches earlier than agreed.
After agreeing to a coordinated disclosure date for the vulnerabilities of February 7 back in December, on January 25 QNAP told Rapid7 it had already pushed out the patches. This followed more than two weeks of radio silence from the NAS slinger after Rapid7 requested a progress update.
QNAP also asked Rapid7 to delay the publication of its advisory to February 26, nearly three weeks after the original agreed date, which didn’t appear to have been received warmly.
So many patches
Rather than focusing on the technical details of the vulnerabilities, QNAP’s main focus with its disclosure appears to be highlighting the different patches available for different firmware versions. QTS, QuTS hero, and QuTAcloud are all impacted differently and each version has its own specific upgrade recommendation.
This is the best summary I could come up with:
The Taiwanese company’s coordinated disclosure of the issues with researchers at Unit 42 by Palo Alto Networks has, however, led to some confusion over the severity of the security problem.
Unit 42’s assessment, on the other hand, was the polar opposite: "These remote code execution vulnerabilities affecting IoT devices exhibit a combination of low attack complexity and critical impact, making them an irresistible target for threat actors.
The German Federal Office for Information Security (BSI) also released an emergency alert today warning that successful exploits could lead to “major damage,” encouraging users to apply patches quickly.
QNAP’s advisory also detailed fixes for a second command injection flaw, CVE-2023-47218, which was reported by Stephen Fewer, principal security researcher at Rapid7, and has also been given the same 5.8 severity score.
Rapid7’s advisory, however, provides extensive detail on how CVE-2023-47218 also lies in the quick.cgi component, allowing for command injection, and how it can feasibly be exploited using a specially crafted HTTP POST request.
QNAP also asked Rapid7 to delay the publication of its advisory to February 26, nearly three weeks after the original agreed date, which didn’t appear to have been received warmly.
The original article contains 746 words, the summary contains 192 words. Saved 74%. I’m a bot and I’m open source!
