QNAP Systems has fixed a critical vulnerability (CVE-2022-27596) affecting QNAP network-attached storage (NAS) devices, which could be exploited by remote attackers to inject malicious code into a vulnerable system.
Luckily for QNAP NAS owners, there’s no mention of it being exploited by attackers or an exploit being publicly available.
QNAP’s advisory does not offer more details about CVE-2022-27596, but the vulnerability entry in NIST’s National Vulnerability Database reveals that the flaw may allow attackers to execute an SQL injection attack, due to “improper neutralization of special elements used in an SQL command.”
Successful exploitation may allow attackers to access sensitive data, modify or delete it.
The vulnerability affects QNAP devices running version 5.0.1 of the QTS operating system for entry- and mid-level QNAP NAS devices and versions h5.0.1 of QuTS hero, the OS for high-end and enterprise QNAP NAS models. It has been fixed in:
- QTS 22.214.171.1244 build 20221201 and later
- QuTS hero h126.96.36.1998 build 20221215 and later
Protect your NAS
“SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind,” MITRE points out.
QNAP NAS devices (and other widely used NAS devices) are often targeted by threat actors wielding different flavors of ransomware. They sometimes exploit zero-day vulnerabilities to load the malware onto vulnerable internet-facing devices, but don’t mind exploiting known vulnerabilities and relying on many users not updating their devices regularly.
No workarounds for this flaw are available and QNAP advises users to update their appliances immediately.
Aside from that, administrators of NAS devices should:
- Use a unique, complex and long password and multi-factor authentication to secure the device’s admin account from password-guessing and brute-force attacks
- Disallow access to the device from the internet (if it’s not needed) and perhaps limit access to it only from a specific IP range (e.g., their home or business network).
UPDATE (February 1, 2023, 03:40 a.m. ET):
Censys says that at least 29,968 internet-facing QNAP NAS devices could be affected by this vulnerability.