CVE-2024-27130 in QNAP: When 'Secure' is Just a Marketing Term
The article «QNAP QTS — QNAPping At The Wheel (CVE-2024-27130 and friends)» from WatchTowr Labs provides a detailed analysis of several vulnerabilities found in QNAP NAS devices.
CVE-2024-27130. Stack Buffer Overflow in share.cgi: The vulnerability arises from the unsafe use of the strcpy function in the No_Support_ACL function, which is accessible via the get_file_size function in share.cgi. This leads to a stack buffer overflow, which can be exploited to achieve Remote Code Execution (RCE).
📌Step 1: Initial Access: An attacker needs a valid NAS user account to exploit this vulnerability. This could be achieved through phishing, credential stuffing, or exploiting another vulnerability to gain initial access.
📌Step 2: File Sharing: The attacker shares a file with an untrusted user. This action triggers the get_file_size function in share.cgi.
📌Step 3: Exploitation: The get_file_size function calls No_Support_ACL, which uses strcpy unsafely, leading to a stack buffer overflow. The attacker crafts a payload that overflows the buffer and injects malicious code.
📌Step 4: Remote Code Execution: The overflowed buffer allows the attacker to execute arbitrary code on the NAS device, potentially gaining full control over the system.
📌CVE-2024-27129: Unsafe use of strcpy in the get_tree function of utilRequest.cgi leading to a static buffer overflow and RCE with a requirement of a valid account on the NAS device.
📌CVE-2024-27131: Log spoofing via x-forwarded-for allows users to cause downloads to be recorded as requested from an arbitrary source location with a requirement of the ability to download a file.
📌WT-2024-0004: Stored XSS via remote syslog messages with a requirement of a non-default configuration.
📌WT-2024-0005: Stored XSS via remote device discovery with no requirements
📌WT-2024-0006: Lack of rate-limiting on the authentication API with no requirements
📌Patches Available: The first four vulnerabilities (CVE-2024-27129, CVE-2024-27130, CVE-2024-27131, and WT-2024-0004) have been patched in the following versions: QTS 5.1.6.2722 build 20240402 and later, QuTS hero h5.1.6.2734 build 20240414 and later
📌Vendor Response: The vendor has acknowledged the vulnerabilities and has been working on fixes, although some issues remain under extended embargo due to their complexity.