Command Injection in QNAP QTS

#VU28777 Command Injection in QNAP QTS

Published: 2020-06-08 | Updated: 2022-05-24

Vulnerability identifier: #VU28777

Vulnerability risk: Low

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-19949

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
QNAP QTS
Server applications / File servers (FTP/HTTP)

Vendor: QNAP Systems, Inc.

Description

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation in username on proper authentication after account creation. A remote administrator can create users with usernames containing bash syntax that evaluates code and execute arbitrary commands on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

QNAP QTS: 4.4.1.0948 20190527 - 4.4.1.1201 20200130

External links
http://www.qnap.com/en/release-notes/qts/4.4.1.1216/20200214
http://blog.securityevaluators.com/multiple-vulnerabilities-discovered-in-qnap-nass-303b720d487b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Multiple vulnerabilities in QNAP QTS