Taiwan-based QNAP Systems on Tuesday rolled out patches for multiple vulnerabilities in its Network Attached Storage (NAS) devices, including a bug for which proof-of-concept code was published last week.
The issue, tracked as CVE-2024-27130, is described as the unsafe “use of the ‘strcpy’ function in the No_Support_ACL function, which is utilized by the get_file_size request in the share.cgi script.”
The script is used when a user shares files with external users, and successful exploitation of the vulnerability requires an attacker to obtain the ‘ssid’ parameter generated when the NAS user shares a file.
According to WatchTowr, the vulnerability leads to a stack buffer overflow and can be used for remote code execution. The cybersecurity firm, which has shared technical details on CVE-2024-27130, also published POC code targeting devices with Address Space Layout Randomization (ASLR) mitigation disabled.
Since ASLR is enabled by default on all QNAP devices running QTS 4.x and 5.x, the successful exploitation of the bug is significantly more difficult.
QNAP resolved the flaw with the release of QTS 5.1.7.2770 build 20240520 and QuTS hero h5.1.7.2770 build 20240520, which also address four other vulnerabilities reported by WatchTowr.
“ASLR significantly increases the difficulty for an attacker to exploit this vulnerability. Therefore, we have assessed its severity as Medium. Nonetheless, we strongly recommend users update to QTS 5.1.7 / QuTS hero h5.1.7 as soon as it becomes available to ensure their systems are protected,” QNAP said on Tuesday.
WatchTowr disclosed a total of 15 vulnerabilities in QNAP’s devices over the past half a year: 14 were reported in December 2023 and January 2024 and another one was reported on May 11.
The vendor patched four of these in late April, and five more with the May 21 updates, when it also announced that two other issues will be addressed with upcoming updates. QNAP says it has yet to confirm three other flaws.
“We regret any coordination issues that may have occurred between the product release schedule and the disclosure of these vulnerabilities. We are taking steps to improve our processes and coordination in the future to prevent such issues from arising again,” QNAP said, in response to WatchTowr disclosing the flaws before patches were rolled out.
WatchTowr gave the vendor several extensions over the industry-standard 90-day period mentioned in its vulnerability disclosure program.
“Moving forward, for vulnerabilities triaged as High or Critical severity, we commit to completing remediation and releasing fixes within 45 days. For Medium severity vulnerabilities, we will complete remediation and release fixes within 90 days,” QNAP added.
Users are advised to update to the latest QTS and QuTS hero releases as soon as possible. Threat actors are known to have exploited QNAP vulnerabilities for which patches had been released.
Related: Critical Vulnerability Allows Access to QNAP NAS Devices
Related: QNAP Patches High-Severity Bugs in QTS, Qsync Central
Related: QNAP Patches High-Severity Flaws in QTS, Video Station Products
