Security researchers reported vulnerabilities in several legacy models of QNAP network attached storage devices. These devices are prone to remote unauthenticated attacks due to two zero-day flaws – CVE-2020-2509 and CVE-2021-36195.
According to SAM’s security research team, QNAP TS-231’s latest firmware (version 188.8.131.526 – 2020/09/29) is vulnerable:
Web server: allows a remote attacker with access to the web server (default port 8080) to execute arbitrary shell commands, without prior knowledge of the web credentials.
DLNA server: allows a remote attacker with access to the DLNA server (default port 8200) to create arbitrary file data on any (non-existing) location, without any prior knowledge or credentials. It can also be elevated to execute arbitrary commands on the remote NAS as well.
A patch for the QNAP TS-231 NAS device should be released within weeks, Threatpost reported. Because the vulnerabilities are quite severe, technical details are scarce. Full disclosure “could cause major harm to tens of thousands of QNAP devices exposed to the internet,” SAM’s team noted.
CVE-2020-2509 and CVE-2021-36195
The first vulnerability resides in the NAS web server (default TCP port 8080).
“The vendor can fix the vulnerability by adding input sanitizations to some core processes and library APIs, but it has not been fixed as of this writing,” the researchers said.
The second vulnerability hides in the DLNA server (default TCP port 8200). The team came across the flaw while investigating the process’s behavior and communication both externally and internally.
The team succeeded in elevating the vulnerability to remote code execution on the remote NAS as well.
In a conversation with Threatpost, QNAP representatives said they have released the fix in the latest firmware and related application. “Since the severity level is high, we would like to release the security update for legacy versions. It is expected to be available in a week. In addition, we hope there will be another week for users’ updates,” the company added.
In 2019, security researchers reported that the eCh0raix ransomware was used against QNAP NAS device owners.