Multiple vulnerabilities in QNAP QTS and QuTS hero



Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2023-38408
CVE-2021-41617
CVE-2020-14145
CWE-ID CWE-426
CWE-269
CWE-327
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
QuTS hero
Hardware solutions / Firmware

QNAP QTS
Server applications / File servers (FTP/HTTP)

Vendor QNAP Systems, Inc.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Untrusted search path

EUVDB-ID: #VU78454

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2023-38408

CWE-ID: CWE-426 - Untrusted Search Path

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to usage of an insecure search path within the PKCS#11 feature in ssh-agent. A remote attacker can trick the victim into connecting to a malicious SSH server and execute arbitrary code on the system, if an agent is forwarded to an attacker-controlled system.

Note, this vulnerability exists due to incomplete fix for #VU2015 (CVE-2016-10009).

Mitigation

Install update from vendor's website.

Vulnerable software versions

QuTS hero: before h5.1.8.2823 build 20240712

QNAP QTS: before 5.1.8.2823 20240712

CPE2.3 External links

http://www.qnap.com/en/security-advisory/qsa-24-37


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Improper Privilege Management

EUVDB-ID: #VU58333

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41617

CWE-ID: CWE-269 - Improper Privilege Management

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to improper privilege management in sshd, when certain non-default configurations are used, because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. A local user can escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QuTS hero: before h5.1.8.2823 build 20240712

QNAP QTS: before 5.1.8.2823 20240712

CPE2.3 External links

http://www.qnap.com/en/security-advisory/qsa-24-37


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use of a broken or risky cryptographic algorithm

EUVDB-ID: #VU32937

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14145

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists in openssh client during algorithm negotiation due to observable discrepancy. A remote attacker can perform a Man-in-the-Middle (MitM) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QuTS hero: before h5.1.8.2823 build 20240712

QNAP QTS: before 5.1.8.2823 20240712

CPE2.3 External links

http://www.qnap.com/en/security-advisory/qsa-24-37


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###