CVE-2024-27130 in QNAP: When 'Secure' is Just a Marketing Term

The ‎article‏ ‎«QNAP ‎QTS ‎— ‎QNAPping ‎At‏ ‎The ‎Wheel‏ ‎(CVE-2024-27130‏ ‎and ‎friends)» from ‎WatchTowr‏ ‎Labs ‎provides‏ ‎a ‎detailed ‎analysis ‎of‏ ‎several‏ ‎vulnerabilities ‎found‏ ‎in ‎QNAP‏ ‎NAS ‎devices.

CVE-2024-27130. ‎Stack ‎Buffer ‎Overflow‏ ‎in‏ ‎share.cgi: ‎The‏ ‎vulnerability ‎arises‏ ‎from ‎the ‎unsafe ‎use ‎of‏ ‎the‏ ‎strcpy‏ ‎function ‎in‏ ‎the ‎No_Support_ACL‏ ‎function, ‎which‏ ‎is‏ ‎accessible ‎via‏ ‎the ‎get_file_size ‎function ‎in ‎share.cgi.‏ ‎This ‎leads‏ ‎to‏ ‎a ‎stack ‎buffer‏ ‎overflow, ‎which‏ ‎can ‎be ‎exploited ‎to‏ ‎achieve‏ ‎Remote ‎Code‏ ‎Execution ‎(RCE).

Attack‏ ‎Scenario:

📌Step ‎1: ‎Initial ‎Access: ‎An‏ ‎attacker‏ ‎needs ‎a‏ ‎valid ‎NAS‏ ‎user ‎account ‎to ‎exploit ‎this‏ ‎vulnerability.‏ ‎This‏ ‎could ‎be‏ ‎achieved ‎through‏ ‎phishing, ‎credential‏ ‎stuffing,‏ ‎or ‎exploiting‏ ‎another ‎vulnerability ‎to ‎gain ‎initial‏ ‎access.

📌Step ‎2:‏ ‎File‏ ‎Sharing: ‎The ‎attacker‏ ‎shares ‎a‏ ‎file ‎with ‎an ‎untrusted‏ ‎user.‏ ‎This ‎action‏ ‎triggers ‎the‏ ‎get_file_size ‎function ‎in ‎share.cgi.

📌Step ‎3:‏ ‎Exploitation:‏ ‎The ‎get_file_size‏ ‎function ‎calls‏ ‎No_Support_ACL, ‎which ‎uses ‎strcpy ‎unsafely,‏ ‎leading‏ ‎to‏ ‎a ‎stack‏ ‎buffer ‎overflow.‏ ‎The ‎attacker‏ ‎crafts‏ ‎a ‎payload‏ ‎that ‎overflows ‎the ‎buffer ‎and‏ ‎injects ‎malicious‏ ‎code.

📌Step‏ ‎4: ‎Remote ‎Code‏ ‎Execution: ‎The‏ ‎overflowed ‎buffer ‎allows ‎the‏ ‎attacker‏ ‎to ‎execute‏ ‎arbitrary ‎code‏ ‎on ‎the ‎NAS ‎device, ‎potentially‏ ‎gaining‏ ‎full ‎control‏ ‎over ‎the‏ ‎system.

Related ‎Vulnerabilities

📌CVE-2024-27129: Unsafe ‎use ‎of ‎strcpy‏ ‎in‏ ‎the‏ ‎get_tree ‎function‏ ‎of ‎utilRequest.cgi‏ ‎leading ‎to‏ ‎a‏ ‎static ‎buffer‏ ‎overflow ‎and ‎RCE ‎with ‎a‏ ‎requirement ‎of‏ ‎a‏ ‎valid ‎account ‎on‏ ‎the ‎NAS‏ ‎device.

📌CVE-2024-27131: Log ‎spoofing ‎via ‎x-forwarded-for‏ ‎allows‏ ‎users ‎to‏ ‎cause ‎downloads‏ ‎to ‎be ‎recorded ‎as ‎requested‏ ‎from‏ ‎an ‎arbitrary‏ ‎source ‎location‏ ‎with ‎a ‎requirement ‎of ‎the‏ ‎ability‏ ‎to‏ ‎download ‎a‏ ‎file.

📌WT-2024-0004: Stored ‎XSS‏ ‎via ‎remote‏ ‎syslog‏ ‎messages ‎with‏ ‎a ‎requirement ‎of ‎a ‎non-default‏ ‎configuration.

📌WT-2024-0005: Stored ‎XSS‏ ‎via‏ ‎remote ‎device ‎discovery‏ ‎with ‎no‏ ‎requirements

📌WT-2024-0006: Lack ‎of ‎rate-limiting ‎on‏ ‎the‏ ‎authentication ‎API‏ ‎with ‎no‏ ‎requirements

Mitigation ‎and ‎Patching

📌Patches ‎Available: The ‎first‏ ‎four‏ ‎vulnerabilities ‎(CVE-2024-27129,‏ ‎CVE-2024-27130, ‎CVE-2024-27131,‏ ‎and ‎WT-2024-0004) ‎have ‎been ‎patched‏ ‎in‏ ‎the‏ ‎following ‎versions:‏ ‎QTS ‎5.1.6.2722‏ ‎build ‎20240402‏ ‎and‏ ‎later, ‎QuTS‏ ‎hero ‎h5.1.6.2734 ‎build ‎20240414 ‎and‏ ‎later

📌Vendor ‎Response:‏ ‎The‏ ‎vendor ‎has ‎acknowledged‏ ‎the ‎vulnerabilities‏ ‎and ‎has ‎been ‎working‏ ‎on‏ ‎fixes, ‎although‏ ‎some ‎issues‏ ‎remain ‎under ‎extended ‎embargo ‎due‏ ‎to‏ ‎their ‎complexity.