[German]NAS manufacturer QNAP has issued a security warning for its QNAP products. There is a critical vulnerability CVE-2022-27596 in the QTS 5.0.1 and QuTS hero h5.0.1 software that allows malicious code injection into the firmware. The critical vulnerability has been assigned a CVSS v3 score of 9.8. Firmware updates are now available to close the vulnerability. An update should be installed immediately. Pver 29,000 devices are vulnearable.
Advertising
QNAP security advisory QSA-23-01 is dated January 30, 2023 and is titled Vulnerability in QTS and QuTS hero.
The manufacturer has been notified of a vulnerability affecting QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. Attackers who exploit this vulnerability can remotely inject malicious code into the firmware of the devices. Of course, this assumes that the QNAP devices are also remotely accessible.
QNAP has not revealed any further details about the vulnerability. The colleagues from Bleeping Computer point out here that in the NIST portal the vulnerability CVE-2022-27596 is classifies as a "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')". Devices with the following software are affected:
QTS 5.x
QuTS hero h5.x
Advertising
The vendor has fixed the reported vulnerability in the following versions of QNAP operating systems.
- QTS 5.0.1.2234 build 20221201 and later
- QuTS hero h5.0.1.2248 build 20221215 and later
To protect devices with this software, the manufacturer recommends regularly updating them to the latest version. To do this, log in to QTS or QuTS hero as an administrator and go to the menu item Control Panel > System > Firmware Update. There you can click on Check for update under Live Update. The QTS or QuTS hero operating systems should then download and install the latest available update.
I got feedback in the German blog, that the fix has been released in Dec. 2022, but the relevant updates hasn't been found by update search. The user reporting that was forced to download the patch manually from QNAP download center.
Alternatively, users can download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
29,000 devices vulnerable
Bleeping Computer reports here, that over 29,000 devices vulnerable to this flaw. This has reveald by a report from Censys security researchers. Only just over 550 out of more than 60,000 QNAP NAS devices Censys security researchers found online were patched.
"Censys has observed 67,415 hosts with indications of running a QNAP-based system; unfortunately, we could only obtain the version number from 30,520 hosts. But, if the advisory is correct, over 98% of identified QNAP devices would be vulnerable to this attack," senior security researcher Mark Ellzey said. "We found that of the 30,520 hosts with a version, only 557 were running QuTS Hero greater than or equal to 'h5.0.1.2248' or QTS greater than or equal to '5.0.1.2234,' meaning 29,968 hosts could be affected by this vulnerability."
Advertising