A security researcher disclosed four vulnerabilities in QNAP PhotoStation and CGI programs. All QNAP network-attached storage (NAS) devices running Photo Station are vulnerable and of those, approximately 450,000 QNAP NAS devices are exposed to the internet.
According to Henry Huang, he discovered and disclosed to the vendor four QNAP vulnerabilities last June. He subsequently responsibly disclosed three of them publicly on May 18, 2020. He warned the QNAP vulnerabilities “can be chained into a pre-auth root RCE.”
In addition, QNAP then published a security advisory and provided critical patches for each of the QNAP vulnerabilities in November, 2019.
However, recent Shodan IoT search scans still show an estimated 80% of potentially affected QNAP devices are still running Photo Station.
QNAP vulnerabilities
Each of the relevant QNAP vulnerabilities are summarized below:
- CVE-2019-7192: This improper access control vulnerability allows remote attackers to gain unauthorized access to the system.
- CVE-2019-7193: This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system.
- CVE-2019-7194: This external control of file name or path vulnerability allows remote attackers to access or modify system files.
- CVE-2019-7195: This external control of file name or path vulnerability allows remote attackers to access or modify system files.
Huang also confirmed all downloadable QNAP Office Station versions before the fixed versions (i.e., 6.0.3, 5.2.11, 5.4.9) were affected.
In a Medium blog post, Huang describes in more detail three of the four vulnerabilities.
According to Huang, the first vulnerability is a Pre-Auth Local File Disclosure that “enables an attacker to read arbitrary file on the server WITHOUT authentication.” The vulnerable code is in /p/api/video.php.
Consequently, an attacker could then upgrade the Pre-Auth Local File Disclosure to launch a privilege escalation attache (or “Login Bypass”).
To add, Huang said a second vulnerability relates to Authenticated Session Tampering:
“Being authenticated as appuser gives us access to the SMTP setting, which has an improper filtering in the email string. By setting an email to, for example, $_POST[c]?>@evil.com, an authenticated attacker can inject arbitrary PHP code into the session, this can be chained in the next vulnerability, or other file inclusion vulnerabilities (e.g. include ‘/path/to/sess_xxx’).”
Henry Huang
The third vulnerability, Pre-Auth Writing Session to Arbitrary Location, could enable an unauthenticated attacker to write session contents (serialized $_SESSION) to an arbitrary location on the server.
To put it all together, Huang further describes how a bad actor could use each of these vulnerabilities to chain for Pre-Auth Root RCE.
To compound matters, Huang warns the web server runs as root. So a bad actor could use the first login bypass vulnerability to read /etc/shadow.
On a similar note, readers may recall that back in May, 2018, a VPNFilter router malware targeted un-patched 500K networking devices worldwide.
At that time, Talos said that impacted devices included QNAP network-attached storage (NAS) devices, as well as a host of other networking equipment makers to include Linksys, MikroTik, NETGEAR and TP-Link.
These are good examples that highlight the critical need to prioritize the patching of internet-facing network devices.