Two OS command injection vulnerabilities impact the operating systems embedded in the firmware of QNAP’s popular network-attached storage (NAS) devices. Tracked as CVE-2023-47218 and CVE-2023-50358, the vulnerabilities may allow users to execute commands via a network. The vulnerabilities affect QNAP operating systems such as QTS, QuTS Hero, and QuTS Cloud. CVE-2023-47218 can be exploited by sending a specially crafted HTTP POST request.
QTS is the operating system for entry- and mid-level QNAP NAS. QTS provides flexible value-added features and apps, like snapshots, Plex media servers, and simple access to the personal cloud, to make dependable storage accessible to all users running Linux and ext4.
Both vulnerabilities exist in the quick.cgi component of QNAP QTS firmware, which can be accessed without authentication. The parameter can be used during manual or cloud-based provisioning of a QNAP NAS device.
An attacker with network access to an uninitialized QNAP NAS device may perform unauthenticated command injection, allowing the attacker to execute arbitrary commands.
An attacker with network access to an uninitialized QNAP NAS device may perform unauthenticated command injection, leading to arbitrary command execution.
Affected and Patched Versions
Affected Product | Partially Fixed Version | Fully Fixed Version |
QTS 5.1.x | QTS 5.1.0.2444 build 20230629 and later | QTS 5.1.5.2645 build 20240116 and later |
QTS 5.0.1 | QTS 5.0.1.2145 build 20220903 and later | QTS 5.1.5.2645 build 20240116 and later |
QTS 5.0.0 | QTS 5.0.0.1986 build 20220324 and later | QTS 5.1.5.2645 build 20240116 and later |
QTS 4.5.x, 4, 4,x | QTS 4.5.4.2012 build 20220419 and later | QTS 4.5.4.2627 build 20231225 and later |
QTS 4.3.6, 4.3.5 | QTS 4.3.6.2665 build 20240131 and later | QTS 4.3.6.2665 build 20240131 and later |
QTS 4.3.4 | QTS 4.3.4.2675 build 20240131 and later | QTS 4.3.4.2675 build 20240131 and later |
QTS 4.3.x | QTS 4.3.3.2644 build 20240131 and later | QTS 4.3.3.2644 build 20240131 and later |
QTS 4.2.x | QTS 4.2.6 build 20240131 and later | QTS 4.2.6 build 20240131 and later |
QuTS hero h5.1.x | QuTS hero h5.1.0.2466 build 20230721 and later | QuTS hero h5.1.5.2647 build 20240118 and later |
QuTS hero h5.0.1 | QuTS hero h5.0.1.2192 build 20221020 and later | QuTS hero h5.1.5.2647 build 20240118 and later |
QuTS hero h5.0.0 | QuTS hero h5.0.0.1986 build 20220324 and later | QuTS hero h5.1.5.2647 build 20240118 and later |
QuTS hero h4.x | QuTS hero h4.5.4.1991 build 20220330 and later | QuTS hero h4.5.4.2626 build 20231225 and later |
QuTScloud c5.x | QuTScloud c5.1.5.2651 and later | QuTScloud c5.1.5.2651 and later |
Please refer to the QNAP Security Advisory (QSA-23-57) for more information.
Workaround
If the user is unable to update the operating system to the latest version, they can perform the following actions to mitigate the vulnerabilities.
- Test the following URL in your browser:
https://<NAS IP address>:<NAS system port>/cgi-bin/quick/quick.cgi
- If you get the following response (HTTP 404 error), your system is not vulnerable:
“Page not found, or the web server is currently unavailable. Please contact the website administrator for help.”
- If you get an empty page (HTTP 200), continue to the next step.
- Update your operating system to one of the following versions or later:
- QTS 5.1.0.2444 build 20230629 and later
- QTS 5.0.1.2145 build 20220903 and later
- QTS 5.0.0.1986 build 20220324 and later
- QTS 4.5.4.2012 build 20220419 and later
- QTS 4.3.6.2665 build 20240131 and later
- QTS 4.3.4.2675 build 20240131 and later
- QTS 4.3.3.2644 build 20240131 and later
- QTS 4.2.6 build 20240131 and later
- QuTS hero h5.1.0.2466 build 20230721 and later
- QuTS hero h5.0.1.2192 build 20221020 and later
- QuTS hero h5.0.0.1986 build 20220324 and later
- QuTS hero h4.5.4.1991 build 20220330 and later
- Test the above URL again in your browser.
- If you get the following response (HTTP 404 error), your system is now free from the vulnerabilities:
“Page not found, or the web server is currently unavailable. Please contact the website administrator for help.”
- If you get an empty page (HTTP 200), please update the firmware immediately.
Qualys Detection
Qualys customers can scan their devices with QID 731155 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.qnap.com/en/security-advisory/qsa-23-57
https://unit42.paloaltonetworks.com/qnap-qts-firmware-cve-2023-50358/