QNAP QTS zero-day in Share feature gets public RCE exploit

QNAP QTS zero-day in Share feature gets public RCE exploit

May 20, 2024 at 11:01AM

A recent security audit of QNAP QTS revealed fifteen vulnerabilities, with only four fixed by the vendor after multiple delays. Notably, CVE-2024-27130 poses a remote code execution risk through an unpatched function in ‘share.cgi.’ WatchTowr Labs uncovered these vulnerabilities, mostly involving buffer overflows and authentication issues, impacting NAS devices. Read more at WatchTowr.

Key Takeaways from the Meeting Notes:

– An extensive security audit has uncovered fifteen vulnerabilities in the QNAP QTS operating system for the company’s NAS products, with eleven remaining unfixed.
– The vulnerabilities primarily include code execution, buffer overflows, memory corruption, authentication bypass, and XSS issues impacting NAS devices.
– WatchTowr Labs discovered the vulnerabilities and published the complete details of their findings and a proof of concept (PoC) exploit for one of the vulnerabilities (CVE-2024-27130).
– QNAP has addressed some vulnerabilities in a security update, but the majority remain unaddressed.
– A specific vulnerability (CVE-2024-27130) involves an unpatched stack buffer overflow in the ‘No_Support_ACL’ function of ‘share.cgi,’ which could enable remote code execution.
– The exploit for CVE-2024-27130 requires a valid ‘ssid’ parameter, which can be obtained through social engineering or finding publicly shared links.
– A demonstration of crafting a payload that creates a ‘watchtowr’ account to a QNAP device and adds them to the sudoers for elevated privileges has been published on GitHub by WatchTowr.

Overall, the meeting notes highlight the severity of the vulnerabilities discovered in the QNAP QTS operating system and the potential risk of exploitation, particularly with the demonstration of a payload for elevated privileges. It is evident that immediate action is required to address these vulnerabilities.

Full Article