Two critical zero-day bugs affect legacy QNAP Systems storage hardware, and expose devices to remote unauthenticated attackers.
The bugs, tracked as CVE-2020-25099 and CVE-2021-36195, impact QNAP’s model TS-231 network attached storage (NAS) hardware, allowing an attacker to manipulate stored data and hijack the device. The vulnerabilities, also impact some non-legacy QNAP NAS gear. However, it is important to note that patches are available for non-legacy QNAP NAS hardware.
A patch for the now-retired QNAP model TS-231 NAS device, first released in 2015, is scheduled to be released within weeks, QNAP representatives told Threatpost.
Patches for current model QNAP devices need to be downloaded from the QNAP download center and applied manually.
Zero-Day Disclosure
Both bugs were disclosed on Wednesday by SAM Seamless Network researchers, who released limited technical details. The disclosure was ahead of official QNAP public disclosure of the vulnerabilities, and was in line with SAM Seamless Network’s disclosure policy of giving a vendor three months to disclose vulnerability details. Both flaws were found in the Oct. and Nov. 2020 timeframe and made public Wednesday.
“We reported both vulnerabilities to QNAP with a four-month grace period to fix them,” researchers wrote. “Due to the seriousness of the vulnerabilities, we decided not to disclose the full details yet, as we believe this could cause major harm to tens of thousands of QNAP devices exposed to the internet.”
QNAP would not specifically say how many additional legacy NAS devices may be impacted. The company, in a statement to Threatpost said: “There are many hardware models of NAS in QNAP. (See: https://www.qnap.com/en/product/eol.php). In the list, you can find the models, the period of hardware repair or replacement, the supported OS and App updates and maintenance and the status of technical support and security updates. Most of the models, the security update could be upgraded to the latest version, i.e. QTS 4.5.2. However, some old hardware models have limits of firmware upgrade. For example, TS-EC1679U-SAS-RP could support only the legacy QTS 4.3.4.”
Breaking Down QNAP Bug One
Tracked as CVE-2020-2509, this remote code execution (RCE) bug is tied to firmware used in both old and new hardware, according to QNAP. Firmware versions prior to QTS 4.5.2.1566 (build 20210202) and QTS 4.5.1.1495 (build 20201123) are affected. Patches for current (non-legacy) hardware can be downloaded via QTS 4.5.2.1566 (ZIP) and QTS 4.5.1.1495 (ZIP).
The bug (CVE-2020-2509) resides in the NAS web server (default TCP port 8080), according to researchers.
“Previous RCE attacks on QNAP NAS models relied on web pages which do not require prior authentication, and run/trigger code in server-side. We’ve therefore inspected some CGI files (which implement such pages) and fuzzed a few of the more relevant ones,” researchers described.
They said that during the inspection, they were able to fuzz the web server with customized HTTP requests to different CGI pages, focusing on ones that didn’t require prior authentication. “We’ve been able to generate an interesting scenario, which triggers remote code execution indirectly (i.e., triggers some behavior in other processes),” researchers wrote.
A fix for the vulnerability, suggested by researchers, is “adding input sanitizations to some core processes and library APIs, but it has not been fixed as of this writing.”
Breaking Down QNAP Bug Two
The second bug, tracked as CVE-2021-36195, is an unauthenticated RCE and arbitrary file-write flaw. It impacts QNAP TS-231’s latest firmware (version 4.3.6.1446), released in September.
The flaw allows two types of attacks. One allows a remote attacker – with access to the web server (default port 8080) – to execute arbitrary shell commands, without prior knowledge of the web credentials.
The second attack “allows a remote attacker with access to the DLNA server (default port 8200) to create arbitrary file data on any (non-existing) location, without any prior knowledge or credentials. It can also be elevated to execute arbitrary commands on the remote NAS as well,” according to researchers at SAM Seamless Network.
To exploit the bug, researchers created a proof-of-concept attack. “[We used] a python script that we wrote in order to hack into the device. We achieve full takeover of the device by using a simple reverse shell technique. After that, we access a file that’s stored on the QNAP storage. Any file stored can be accessed similarly.”
QNAP said a fix for supported hardware can be downloaded from the QNAP App Center and is identified as Multimedia Console 1.3.4.
QNAP Patch Timeline
“Currently, we have released the fix in the latest firmware and related app,” QNAP representatives told Threatpost. “Since the severity level is high, we would like to release the security update for legacy versions. It is expected to be available in a week. In addition, we hope there will be another week for users’ updates.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community: