Security update for third-party software in QNAP QTS



Published: 2020-08-31 | Updated: 2020-09-07
Risk Medium
Patch available YES
Number of vulnerabilities 10
CVE-ID CVE-2017-7418
CVE-2019-19269
CVE-2019-19270
CVE-2019-18217
CVE-2019-19272
CVE-2019-19271
CVE-2020-9273
CVE-2020-9272
CVE-2020-10745
CVE-2020-14303
CWE-ID CWE-264
CWE-476
CWE-295
CWE-835
CWE-416
CWE-125
CWE-400
CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #9 is available.
Public exploit code for vulnerability #10 is available.
Vulnerable software
Subscribe
QNAP QTS
Server applications / File servers (FTP/HTTP)

Vendor QNAP Systems, Inc.

Security Bulletin

This security bulletin contains information about 10 vulnerabilities.

Updated 07.09.2020

Added new fixed version 4.2.6 build 20200821.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU20007

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7418

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to access sensitive information.

The vulnerability exists due to incorrect implementation of the AllowChrootSymlinks option that checks only the last path component when enforcing it. A local user with ability to manage own FTP home directory can create a specially crafted symbolic link and gain unauthorized access to the filesystem.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729


CPE2.3 External links

http://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) NULL pointer dereference

EUVDB-ID: #VU26104

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19269

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference in tls_verify_crl() function in ProFTPD while processing data, returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. A remote attacker can trigger the NULL pointer dereference error when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.

Successful exploitation of the vulnerability will result in a denial of service condition.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729


CPE2.3 External links

http://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper Certificate Validation

EUVDB-ID: #VU35035

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19270

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729


CPE2.3 External links

http://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Infinite loop

EUVDB-ID: #VU22564

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18217

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in main.c in a child process when handling overly long commands. A remote non-authenticated attacker can perform a denial of service attack by sending an overly log command to the affected FTP server.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729


CPE2.3 External links

http://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) NULL pointer dereference

EUVDB-ID: #VU30581

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19272

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Direct dereference of a NULL pointer (a variable initialized to NULL) leads to a crash when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729


CPE2.3 External links

http://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper Certificate Validation

EUVDB-ID: #VU30580

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19271

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A wrong iteration variable, used when checking a client certificate against CRL entries (installed by a system administrator), can cause some CRL entries to be ignored, and can allow clients whose certificates have been revoked to proceed with a connection to the server.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729


CPE2.3 External links

http://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Use-after-free

EUVDB-ID: #VU25595

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9273

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing data transfer within the alloc_pool() function in pool.c. A remote authenticated attacker can trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729


CPE2.3 External links

http://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Out-of-bounds read

EUVDB-ID: #VU25596

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9272

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in mod_cap within bundled libpcab library code (via the cap_text.c cap_to_text function). A remote attacker can send specially crafted traffic to the server, trigger an out-of-bounds read error and read contents of memory on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QNAP QTS: 4.2.6 2018082 - 4.4.3.1381 20200729


CPE2.3 External links

http://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
http://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Resource exhaustion

EUVDB-ID: #VU29484

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-10745

CWE-ID: CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing NBT and DNS replies.  A remote attacker can send a name in the reply to a NBT or DNS request and consume excessive CPU resources, resulting in denial of service conditions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QNAP QTS: 4.3.2 - 4.3.6.1333 20200608


CPE2.3 External links

http://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

10) Input validation error

EUVDB-ID: #VU29486

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-14303

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of UDp packets with 0 length data  in Samba. A remote attacker can send a specially crafted UDP packet to port 137/TCP and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QNAP QTS: 4.3.2 - 4.3.6.1333 20200608


CPE2.3 External links

http://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###