WARNING: COMMAND INJECTION VULNERABILITY IN QNAP QTS, QUTS HERO AND QUTSCLOUD, PATCH IMMEDIATELY!

Reference:
Advisory #2024-27

Version:
1.0

Affected software:
QNAP QTS 4.2.x
QNAP QTS 4.3.4
QNAP QTS 4.3.6, 4.3.5
QNAP QTS 4.3.x
QNAP QTS 4.5.x, 4,4,x
QNAP QTS 5.0.0
QNAP QTS 5.0.1
QNAP QTS 5.1.x
QNAP QuTS hero h4.x
QNAP QuTS hero h5.0.0
QNAP QuTS hero h5.0.1
QNAP QuTS hero h5.1.x
QNAP QuTScloud c5.x

Type:
OS Command injection

CVE/CVSS:
CVE-2023-50358
CVSS 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L)CVE-2023-47218
CVSS 5.8 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L)

Sources

• https://www.qnap.com/en/security-advisory/qsa-23-57
• https://unit42.paloaltonetworks.com/qnap-qts-firmware-cve-2023-50358/
• https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/

Risks

CVE-2023-50358 and CVE-2023-47218 are both Command injection vulnerabilities in QNAP QTS, QUTS HERO AND QUTSCLOUD that are very likely to be actively exploited. This due to the publication of a PoC detailing the vulnerabilities.

An attacker could exploit these vulnerabilities to gain Command injection leading to RCE and eventually take over the complete device. The weakness being exploited is CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')[1]

Successful exploitation of these vulnerabilities affect the availability, confidentiality and integrity lowly. It is important to mention the reason of the low impact and score the vulnerability has received: According to Rapid7 the vulnerability is only present when the device has not yet been initialized and configured but is connected to the internet. Even though the vulnerability is low impact, the CCB advices caution. A complete takeover of a device connected to you network could have a critical impact on the rest of the network.

Description

QNAP QTS, QUTS HERO and QUTSCLOUD are all NAS devices.

CVE-2023-50358 allows for command injection via the quick.cgi component of QNAP QTS firmware, which can be accessed without authentication. Using this access an attacker could set the HTTP request parameter todo=set_timeinfo. This parameter value is saved in a /tmp/quick/quick_tmp.conf file and is not sanitized. This set value is later on processed by a vulnerable function ntp_sync_func(). This function calls ntpdate utility[1] to process the set parameter value. The rest of the string  is then executed with the system() function which leads to the injected command to be executed on the system.

CVE-2023-47218 is similar to CVE-2023-50358 but the vulnerable function used is “switch_os” which calls another function uploaf_firmware_image which includes a helper function CGI_Upload which is used to construct an OS command. This command is then passed to a system call leading to the injected commands being executed.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Follow the guidelines provided by QNAP in their security advisory (https://www.qnap.com/en/security-advisory/qsa-23-57)

Mitigate

1. Test the following URL in your browser:
   1.  https://<NAS IP address>:<NAS system port>/cgi-bin/quick/quick.cgi
   2. If you get the following response (HTTP 404 error), your system is not vulnerable:"Page not found or the web server is currently unavailable. Please contact the website administrator for help." If you get an empty page (HTTP 200), continue to the next step.
2. Update your operating system to one of the following versions or later:

• QTS 5.1.0.2444 build 20230629 and later
• QTS 5.0.1.2145 build 20220903 and later
• QTS 5.0.0.1986 build 20220324 and later
• QTS 4.5.4.2012 build 20220419 and later
• QTS 4.3.6.2665 build 20240131 and later
• QTS 4.3.4.2675 build 20240131 and later
• QTS 4.3.3.2644 build 20240131 and later
• QTS 4.2.6 build 20240131 and later
• QuTS hero h5.1.0.2466 build 20230721 and later
• QuTS hero h5.0.1.2192 build 20221020 and later
• QuTS hero h5.0.0.1986 build 20220324 and later
• QuTS hero h4.5.4.1991 build 20220330 and later

3. Test the above URL again in your browser.
   1. If you get the following response (HTTP 404 error), your system is now free from the vulnerabilities: "Page not found or the web server is currently unavailable. Please contact the website administrator for help."
   2. If you get an empty page (HTTP 200), please update firmware immediately.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

• https://www.helpnetsecurity.com/2024/02/14/cve-2023-47218-cve-2023-50358/
• https://nvd.nist.gov/vuln/detail/CVE-2023-50358
• https://nvd.nist.gov/vuln/detail/CVE-2023-47218