QNAP fixes OS command injection flaws affecting its NAS devices (CVE-2023-47218, CVE-2023-50358)

QNAP Systems has patched two unauthenticated OS command injection vulnerabilities (CVE-2023-47218, CVE-2023-50358) in various versions of the operating systems embedded in the firmware of their popular network-attached storage (NAS) devices.

TEXT

About the vulnerabilities (CVE-2023-47218, CVE-2023-50358)

Both vulnerabilities are in the quick.cgi component, though seemingly in a different function. Both were reported to QNAP at the beginning of November 2023.

CVE-2023-47218, unearthed by Stephen Fewer, Principal Security Researcher at Rapid7, can be exploited by sending a specially crafted HTTP POST request.

CVE-2023-50358 was privately reported by Palo Alto Networks Unit 42.

“While setting the HTTP request parameter todo=set_timeinfo, the request handler in quick.cgi saves the value of the parameter SPECIFIC_SERVER into a configuration file /tmp/quick/quick_tmp.conf with the entry name NTP Address,” the researchers explained.

“After writing the NTP server address, the component starts time synchronization using the ntpdate utility. The command-line execution is built by reading the NTP Address in quick_tmp.conf, and this string is then executed using system(). Untrusted data from the SPECIFIC_SERVER parameter is therefore used to build a command line to be executed in the shell resulting in arbitrary command execution.”

Jeff Luo, Security Research Engineer at Palo Alto Networks, told Help Net Security that they discovered CVE-2023-50358 as they monitored telemetry from the Palo Alto Networks Advanced Threat Prevention detection system.

“We observed exploit attempts for an unknown vulnerability starting on November 7, 2023. This vulnerability was later revealed to be CVE-2023-47565, which was first observed by Akamai and published on December 8, 2023,” he explained.

“Prior to the publication of CVE-2023-47565, Unit 42 researchers initially suspected the ATP-observed vulnerability to affect QNAP NAS systems running QTS firmware. However, on November 17, 2023, Unit 42 conducted reverse engineering and additional investigation of QTS firmware images and discovered the vulnerability now known as CVE-2023-50358. The two vulnerabilities are somewhat similar, but affect different software components in different classes of devices (network-attached storage, NAS vs. network video recorders, NVR).”

Technical details have been published for both flaws and Rapid7 published a PoC for CVE-2023-47218.

Security updates are available

QNAP NAS devices are often targeted by attackers, and especially by ransomware-wielding attackers.

Taiwanese hardware maker says both vulnerabilities are of medium severity, but Palo Alto Networks’ Unit 42 researchers say that “these remote code execution vulnerabilities affecting IoT devices exhibit a combination of low attack complexity and critical impact, making them an irresistible target for threat actors.”

But, as Rapid7 researchers pointed out, the vulnerable quick.cgi component is present in uninitialized QNAP NAS devices and, once a device has been successfully initialized, it is disabled on the system. This detail may explain the medium severity score determined by QNAP.

The two vulnerabilities affect various versions of QTS, QuTS hero and QuTScloud, which are core parts of the firmware for entry- and mid-level QNAP NAS devices, high-end and enterprise NAS devices, and cloud-based NAS devices (respectively).

QNAP has been rolling out firmware updates with fixes since early January, though some of the roll-outs happened in several stages.

Admins are advised to upgrade QNAP NAS devices to a fixed firmware version (if they haven’t already). QNAP has also explained how they can check to see if their system is vulnerable.