Skip links

QNAP vulnerability disclosure ends up an utter shambles

Network-attached storage (NAS) specialist QNAP has disclosed and released fixes for two new vulnerabilities, one of them a zero-day discovered in early November.

The Taiwanese company’s coordinated disclosure of the issues with researchers at Unit 42 by Palo Alto Networks has, however, led to some confusion over the severity of the security problem.

QNAP assigned CVE-2023-50358 a middling 5.8-out-of-10 severity score, the breakdown of which revealed it was classified as a high-complexity attack that would have a low impact if exploited successfully.

Unit 42’s assessment, on the other hand, was the polar opposite: “These remote code execution vulnerabilities affecting IoT devices exhibit a combination of low attack complexity and critical impact, making them an irresistible target for threat actors. As a result, protecting IoT devices against such threats is an urgent task.”

The German Federal Office for Information Security (BSI) also released an emergency alert today warning that successful exploits could lead to “major damage,” encouraging users to apply patches quickly.

At the time of writing, the National Vulnerability Database (NVD) is still working to assign the vulnerability an independent rating.

Typically, command injection vulnerabilities that are easy to exploit tend to attract severity scores at the higher end of the scale, so it will be interesting to see what the NVD’s score ends up being.

According to Unit42’s internet scans of vulnerable devices carried out in mid-January, 289,665 separate IP addresses registered a vulnerable, public-facing device.

Germany and the US were the most exposed, with 42,535 and 36,865 vulnerable devices respectively, while China, Italy, Japan, Taiwan, and France trailed each with over 10,000 devices exposed.

Exploiting CVE-2023-50358

Unlike QNAP, Unit 42 published a technical breakdown of CVE-2023-50358 and how to exploit the vulnerability.

It’s classed as a command injection flaw in the quick.cgi component of QNAP’s QTS firmware, which runs on most of its NAS devices.

“While setting the HTTP request parameter todo=set_timeinfo, the request handler in quick.cgi saves the value of the parameter SPECIFIC_SERVER into a configuration file /tmp/quick/quick_tmp.conf with the entry name NTP Address,” the researchers explained.

“After writing the NTP server address, the component starts time synchronization using the ntpdate utility. The command-line execution is built by reading the NTP Address in quick_tmp.conf, and this string is then executed using system().

“Untrusted data from the SPECIFIC_SERVER parameter is therefore used to build a command line to be executed in the shell resulting in arbitrary command execution.”

Double up

QNAP’s advisory also detailed fixes for a second command injection flaw, CVE-2023-47218, which was reported by Stephen Fewer, principal security researcher at Rapid7, and has also been given the same 5.8 severity score.

The advisory itself combines both vulnerabilities and provides technical details for neither, so it’s difficult to determine what the differences are from this alone.

Rapid7’s advisory, however, provides extensive detail on how CVE-2023-47218 also lies in the quick.cgi component, allowing for command injection, and how it can feasibly be exploited using a specially crafted HTTP POST request.

Details of the disclosure timeline also offered a glimpse at what appears to be a slightly ticked-off Rapid7 after QNAP went silent and published its patches earlier than agreed.

After agreeing to a coordinated disclosure date for the vulnerabilities of February 7 back in December, on January 25 QNAP told Rapid7 it had already pushed out the patches. This followed more than two weeks of radio silence from the NAS slinger after Rapid7 requested a progress update.

QNAP also asked Rapid7 to delay the publication of its advisory to February 26, nearly three weeks after the original agreed date, which didn’t appear to have been received warmly.

So many patches

Rather than focusing on the technical details of the vulnerabilities, QNAP’s main focus with its disclosure appears to be highlighting the different patches available for different firmware versions. QTS, QuTS hero, and QuTAcloud are all impacted differently and each version has its own specific upgrade recommendation.

Affected Product Severity Partially Fixed Version Fully Fixed Version
QTS 5.1.x Medium QTS build 20230629 and later QTS build 20240116 and later
QTS 5.0.1 Medium QTS build 20220903 and later QTS build 20240116 and later
QTS 5.0.0 High QTS build 20220324 and later QTS build 20240116 and later
QTS 4.5.x, 4,4,x High QTS build 20220419 and later QTS build 20231225 and later
QTS 4.3.6, 4.3.5 High QTS build 20240131 and later QTS build 20240131 and later
QTS 4.3.4 High QTS build 20240131 and later QTS build 20240131 and later
QTS 4.3.x High QTS build 20240131 and later QTS build 20240131 and later
QTS 4.2.x High QTS 4.2.6 build 20240131 and later QTS 4.2.6 build 20240131 and later
QuTS hero h5.1.x Medium QuTS hero h5.1.0.2466 build 20230721 and later QuTS hero h5.1.5.2647 build 20240118 and later
QuTS hero h5.0.1 Medium QuTS hero h5.0.1.2192 build 20221020 and later QuTS hero h5.1.5.2647 build 20240118 and later
QuTS hero h5.0.0 High QuTS hero h5.0.0.1986 build 20220324 and later QuTS hero h5.1.5.2647 build 20240118 and later
QuTS hero h4.x High QuTS hero h4.5.4.1991 build 20220330 and later QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.x High QuTScloud c5.1.5.2651 and later QuTScloud c5.1.5.2651 and later

The general advice, as ever is to upgrade to the latest available version, although QNAP’s advisory also provides mitigation steps if upgrades can’t be applied immediately.

Curiously, it also lists different firmware versions as being affected to different degrees, assigning different severity ratings for different firmware versions. The vendor doesn’t explain why this is the case.

The vulnerabilities disclosed today are the latest in a fairly extensive line of command injection flaws to impact QTS and QuTS firmware

In just this year alone, less than two months in, 15 different security advisories have been released to disclose 12 different command injection vulnerabilities impacting various devices. ®