Vulnerabilities impacting multiple QNAP operating systems (CVE-2022-27597, CVE-2022-27598)

Two vulnerabilities affecting various QNAP operating systems (CVE-2022-27597 and CVE-2022-27598) have been uncovered by Sternum. These vulnerabilities enable authenticated remote users to access secret values, requiring owners to take immediate action by updating their operating system(s).

Finding CVE-2022-27597 and CVE-2022-27598

Before discovering the vulnerabilities, the researchers ran performance testing and benchmarking on a QNAP TS-230 NAS device. Unexpectedly, attention shifted to a string of security alerts coming from the system, informing the team about multiple memory access violations that were detected on the device.

Alerts signaled on the system revealed multiple out-of-bound reads and writes by various functions in the device’s firmware. These memory access violations would ultimately lead to stability issues and unpredictable behavior of the original code, which could lead to arbitrary code execution if exploited by a malicious threat actor.

“Sadly, this story of this vulnerability is anything but surprising. In fact, almost every new integration or POC we have done so far ended with the same result – of us uncovering new vulnerabilities in runtime pretty much as soon as the device was connected,” said Amit Serper, Director of Security Research for Sternum.

“This speaks to gaps left behind by the security tests currently performed in development and also – more alarmingly – to the number of vulnerable devices in the wild. With tens of billions of devices in circulation, and many used for critical functions in healthcare, infrastructure, communication, transportation, etc., the threat posed by similar yet-to-be-detected vulnerabilities should not be taken lightly,” Serper concluded.

Affected and updated operating systems

The QNAP vulnerabilities affect the operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances).

These operating system versions have already been updated:

• QTS 5.0.1.2346 build 20230322 and later
• QuTS hero h5.0.1.2348 build 20230324 and later

What can you do?

QNAP is actively resolving the vulnerabilities in QuTScloud and QVP and customers are encouraged to check the product support status to see the latest updates available for their NAS model.

Updating QTS, QuTS hero, or QuTScloud

1. Log in to QTS, QuTS hero, or QuTScloud as an administrator.
2. Log to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update. The system downloads and installs the latest available update.

Updating QVP (QVR Pro Appliances)

1. Log in to QVP as an administrator.
2. Go to Control Panel > System Settings > Firmware Update.
3. Select the Firmware Update tab.
4. Click Browse… to upload the latest firmware file.
5. Click Update System.