Security update for third-party software in QNAP QTS
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2017-7418 CVE-2019-19269 CVE-2019-19270 CVE-2019-18217 CVE-2019-19272 CVE-2019-19271 CVE-2020-9273 CVE-2020-9272 CVE-2020-10745 CVE-2020-14303 |
| CWE-ID | CWE-264 CWE-476 CWE-295 CWE-835 CWE-416 CWE-125 CWE-400 CWE-20 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #9 is available. Public exploit code for vulnerability #10 is available. |
| Vulnerable software Subscribe |
QNAP QTS Server applications / File servers (FTP/HTTP) |
| Vendor | QNAP Systems, Inc. |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
Updated 07.09.2020
Added new fixed version 4.2.6 build 20200821.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU20007
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7418
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to access sensitive information.
The vulnerability exists due to incorrect implementation of the AllowChrootSymlinks option that checks only the last path component when enforcing it. A local user with ability to manage own FTP home directory can create a specially crafted symbolic link and gain unauthorized access to the filesystem.
Install update from vendor's website.
QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729
External linkshttp://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) NULL pointer dereference
EUVDB-ID: #VU26104
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19269
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference in tls_verify_crl() function in ProFTPD while processing data, returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. A remote attacker can trigger the NULL pointer dereference error when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
Successful exploitation of the vulnerability will result in a denial of service condition.
Install update from vendor's website.
QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729
External linkshttp://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Certificate Validation
EUVDB-ID: #VU35035
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19270
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server.
MitigationInstall update from vendor's website.
QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729
External linkshttp://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Infinite loop
EUVDB-ID: #VU22564
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-18217
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in main.c in a child process when handling overly long commands. A remote non-authenticated attacker can perform a denial of service attack by sending an overly log command to the affected FTP server.
MitigationInstall update from vendor's website.
QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729
External linkshttp://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) NULL pointer dereference
EUVDB-ID: #VU30581
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19272
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Direct dereference of a NULL pointer (a variable initialized to NULL) leads to a crash when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
MitigationInstall update from vendor's website.
QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729
External linkshttp://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper Certificate Validation
EUVDB-ID: #VU30580
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19271
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A wrong iteration variable, used when checking a client certificate against CRL entries (installed by a system administrator), can cause some CRL entries to be ignored, and can allow clients whose certificates have been revoked to proceed with a connection to the server.
MitigationInstall update from vendor's website.
QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729
External linkshttp://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free
EUVDB-ID: #VU25595
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9273
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing data transfer within the alloc_pool() function in pool.c. A remote authenticated attacker can trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729
External linkshttp://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds read
EUVDB-ID: #VU25596
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9272
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in mod_cap within bundled libpcab library code (via the cap_text.c cap_to_text function). A remote attacker can send specially crafted traffic to the server, trigger an out-of-bounds read error and read contents of memory on the system.
MitigationInstall update from vendor's website.
QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729
External linkshttp://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Resource exhaustion
EUVDB-ID: #VU29484
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-10745
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing NBT and DNS replies. A remote attacker can send a name in the reply to a NBT or DNS request and consume excessive CPU resources, resulting in denial of service conditions.
Install update from vendor's website.
QNAP QTS: 4.3.2 - 4.3.6.1333 20200608
External linkshttp://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Input validation error
EUVDB-ID: #VU29486
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-14303
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of UDp packets with 0 length data in Samba. A remote attacker can send a specially crafted UDP packet to port 137/TCP and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
QNAP QTS: 4.3.2 - 4.3.6.1333 20200608
External linkshttp://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
