Taiwanese company QNAP has released patches for a number of medium-severity flaws affecting QTS and QuTS hero, some of which could be exploited to execute code on its network-attached storage (NAS) devices.
The vulnerabilities impacting QTS 5.1.x and QuTS hero h5.1.x include:
- CVE-2024-21902 – Incorrect permission assignment vulnerability that allows authenticated users to read or modify critical resources over the network
- CVE-2024-27127 – Double free vulnerability that enables authenticated users to execute arbitrary code over the network
- CVE-2024-27128, CVE-2024-27129, and CVE-2024-27130 – Set of buffer overflow vulnerabilities that enable authenticated users to execute arbitrary code over the network
All issues, requiring a valid account on NAS devices, have been fixed in QTS 5.1.7.2770 build 20240520 and QuTS hero h5.1.7.2770 build 20240520. Aliz Hammond of watchTowr Labs discovered and reported these flaws on January 3, 2024.
“The CVE-2024-27130 vulnerability, reported as WatchTowr ID WT-2023-0054, arises from the unsafe use of the ‘strcpy’ function in the No_Support_ACL function, used by the get_file_size request in the share.cgi script,” QNAP explained.
“To exploit this vulnerability, an attacker needs a valid ‘ssid’ parameter generated when a NAS user shares a file from their QNAP device.”
QNAP noted that all QTS 4.x and 5.x versions have Address Space Layout Randomization (ASLR) enabled, making it tough for attackers to exploit vulnerabilities.
The fixes were released four days after the cybersecurity company disclosed details about 15 vulnerabilities, including those that could bypass authentication and execute code.
The vulnerabilities, from CVE-2023-50361 to CVE-2023-50364, were resolved by QNAP on April 25, 2024, after being disclosed in December 2023.
However, a fix for CVE-2024-27131, described by watchTowr as “Log spoofing via x-forwarded-for [that] allows users to cause downloads to be recorded as requested from arbitrary source location,” is pending. QNAP plans to address this in QTS 5.2.0.
Details about four other reported vulnerabilities are under review. One has been assigned a CVE ID and will be fixed in the upcoming release.
watchTowr publicly disclosed the flaws after QNAP failed to address them within the 90-day disclosure period, providing multiple extensions. QNAP apologized for the coordination issues and committed to faster fixes for high- or critical-severity flaws.
Users are advised to update to the latest versions of QTS and QuTS hero to guard against potential threats, especially considering past ransomware attacks exploiting vulnerabilities in QNAP NAS devices.
