Zero-Day Vulnerabilities allow hackers to access QNAP Devices
Two vulnerabilities found in legacy QNAP network attached storage models could pave the way for stealth attacks on the exposed devices.
The bugs/vulnerabilities, known as CVE-2021-36195 and CVE-2020-2509 affect the hardware of the TS-231 QNAP network attached storage model, and they could allow a hacker to access and modify data that’s on the device. Also, attackers may be able to hijack the device itself by exploiting the vulnerabilities. Some non-legacy products by QNAP are also affected by these flaws but for them there are security patches that fix the flaws when installed. Currently, there is no such security patch for the QNAP TS-231 model, but the release of one is scheduled for the upcoming weeks according to the company.
Available QNAP patches can be downloaded for free and from the download center of the official QNAP website.
The Flaws’ Discovery
The two bugs were reported two days ago, on March 31st, Wednesday, by researchers at the SAM Seamless Network cybersecurity company. This report came prior to any official statement made by QNAP on the matter. It’s worth noting that the SAM Seamless Network report was made in accordance with its policy of providing software/hardware vendors with enough time (three months) to make a public announcement regarding any vulnerabilities discovered by the cybersecurity company. According to SAM Seamless Network, the flaws were discovered back in November 2020 – four months before the date of the current report.
The security company that discovered the flaws also stated in their report that it will refrain from revealing any more details about the two bugs due to the potential harm this could bring to customers of QNAP who are currently using TS-231 and other vulnerable QNAP products.
QNAP has addressed the issue but hasn’t disclosed exactly how many and which of its other products may be susceptible to the discovered flaws. According to the company, most of its models could be updated with security patches that take care of the problem, but there are certain legacy products that are limited by its firmware and couldn’t be updated past a certain QTS version (QTS is the operating system of QNAP devices).
The First Flaw
The first of the two detected bugs, CVE-2020-2509, is categorized as a remote code execution vulnerability (RCE) and it is present in both new and old QNAP hardware according to the company. Firmware versions that are affected by it are ones that come before QTS 220.127.116.116 and QTS 18.104.22.1685. Security patches that fix those flaws can be downloaded for non-legacy hardware from QNAP official website’s download center.
According to the security researchers who discovered the flaws, the CVE-2020-2509 can be found in the default TCP port 8080 of the NAS web server.
The researchers report that previous remote code execution on QNAP NAS products were made possible by online pages that didn’t require the hackers to authenticate, which allowed them to run malicious code on the side of the server. The research team examined and fuzzed CGI files related to such pages. They managed to fuzz the network server via custom HTTP requests sent to various CGI pages that lacked an authentication requirement. By doing this, the researchers have been able to remotely and indirectly execute code by triggering certain behavior within other processes.
A suggested fix for that suggested by the SAM Seamless Network team is to equip some of the library APIs and core processes with input sanitization.
The Second Flaw
The second discovered flaw is the CVE-2021-36195, and it is an arbitrary file-write flaw. The affected firmware is the latest one for the QNAP TS-231 which was released in September last year.
Through this vulnerability, two types of hacker attacks could be performed. One that enables the hacker to gain access to the server and then launch unauthorized shell commands without needing any credentials.
The other possible attack is one that could potentially allow hackers to create arbitrary file data in a non-existing location on the DLNA server provided that they have gained prior access to the server. It’s also possible to use this to run arbitrary commands as well.
In a proof-of-concept hacking attempt, the researchers tried to use a python script to attack the vulnerable device, and they managed to fully hijack the targeted device. They also managed to gain access to a QNAP storage file, pointing out that other QNAP files can also be accessed in a similar way.
According to QNAP, a fix for the this can be found in the company’s App Center under the name of Multimedia Console 1.3.4 for devices that support it.
Incoming Security Patch for Legacy Versions
QNAP has already released a patch to take care of the flaws for its latest firmware version and related software. However, legacy versions are still vulnerable and so QNAP has stated that a security update for them is currently in the works and should be available within one week’s period.