Security restrictions bypass in QNAP QTS



Published: 2021-04-02
Risk Critical
Patch available NO
Number of vulnerabilities 1
CVE ID N/A
CWE ID CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
QNAP QTS
Server applications / File servers (FTP/HTTP)

Vendor QNAP Systems, Inc.

Security Advisory

This security advisory describes one critical risk vulnerability.

1) Improper access control

Risk: Critical

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions within DLNA server. A remote non-authenticated attacker can connect to the DLNA server on port 8200/tcp and use a specially crafted request to create arbitrary files on the system. The vulnerability can lead to remote code execution.

Mitigation

It is unclear, if the vulnerability was fixed in the latest release of QNAP QTS 4.3.6.1620 Build 20210322, therefore treating it for the moment as unpatched.

Vulnerable software versions

QNAP QTS: 4.3.6.0805 20181228, 4.3.6.0895 20190328, 4.3.6.0907 20190409, 4.3.6.0923 20190425, 4.3.6.0944 20190516, 4.3.6.0959 20190531, 4.3.6.0979 20190620, 4.3.6.0993 20190704, 4.3.6.1013 20190724, 4.3.6.1033 20190813, 4.3.6.1070 20190919, 4.3.6.1154 20191212, 4.3.6.1218 20200214, 4.3.6.1263 20200330, 4.3.6.1286 20200422, 4.3.6.1333 20200608, 4.3.6.1411 20200825, 4.3.6.1446 20200929

CPE External links

https://securingsam.com/new-vulnerabilities-allow-complete-takeover/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###