Go To Content
:::

Tainan Branch, Administrative Enforcement Agency, Ministry of Justice:Back to homepage

:::

QNAP Rushes Patch for Code Execution Flaw in NAS Devices

  • Publication Date :
  • Last updated:2024-06-20
  • View count:256

Taiwan-based QNAP Systems on Tuesday rolled out patches for multiple vulnerabilities in its Network Attached Storage (NAS) devices, including a bug for which proof-of-concept code was published last week.

The issue, tracked as CVE-2024-27130, is described as the unsafe “use of the ‘strcpy’ function in the No_Support_ACL function, which is utilized by the get_file_size request in the share.cgi script.”

The script is used when a user shares files with external users, and successful exploitation of the vulnerability requires an attacker to obtain the ‘ssid’ parameter generated when the NAS user shares a file.

According to WatchTowr, the vulnerability leads to a stack buffer overflow and can be used for remote code execution. The cybersecurity firm, which has shared technical details on CVE-2024-27130, also published POC code targeting devices with Address Space Layout Randomization (ASLR) mitigation disabled.

Since ASLR is enabled by default on all QNAP devices running QTS 4.x and 5.x, the successful exploitation of the bug is significantly more difficult.

QNAP resolved the flaw with the release of QTS 5.1.7.2770 build 20240520 and QuTS hero h5.1.7.2770 build 20240520, which also address four other vulnerabilities reported by WatchTowr.

“ASLR significantly increases the difficulty for an attacker to exploit this vulnerability. Therefore, we have assessed its severity as Medium. Nonetheless, we strongly recommend users update to QTS 5.1.7 / QuTS hero h5.1.7 as soon as it becomes available to ensure their systems are protected,” QNAP said on Tuesday.

WatchTowr disclosed a total of 15 vulnerabilities in QNAP’s devices over the past half a year: 14 were reported in December 2023 and January 2024 and another one was reported on May 11.

Go Top