QNAP QTS Audit Reveals 15 Vulnerabilities, RCE Exploits Possible

During a security audit of the QTS operating system, used in QNAP’s NAS products, fifteen vulnerabilities of varying severity were identified. Notably, eleven of these vulnerabilities remain unpatched.

Among the discovered issues, CVE-2024-27130 stands out, a stack buffer overflow vulnerability in the “No_Support_ACL” function of the “share.cgi” script, which under certain conditions allows an attacker to execute remote code.

QNAP responded to the vulnerability reports with numerous delays, having only addressed four of the fifteen identified issues so far. This is despite the company receiving information about most of the vulnerabilities as early as December 2023 and January 2024.

The security flaws were discovered by WatchTowr Labs, who published full details of their findings, as well as a PoC exploit for CVE-2024-27130.

Identified Security Flaws

Experts found that the vulnerabilities are mainly related to code execution, buffer overflow, memory corruption, authentication bypass, and XSS issues, jeopardizing the security of NAS devices in various deployment environments. The full list of vulnerabilities includes:

• CVE-2023-50361: Unsafe use of “sprintf” in the “getQpkgDir” function, called from “userConfig.cgi”.
• CVE-2023-50362: Unsafe use of SQLite functions via the “addPersonalSmtp” parameter in “userConfig.cgi”.
• CVE-2023-50363: Lack of authentication allows disabling two-factor authentication for any user.
• CVE-2023-50364: Heap overflow with a long directory name when viewing the file list through the “get_dirs” function of the “privWizard.cgi” script.
• CVE-2024-21902: Lack of authentication allows all users to view or clear system logs and perform additional actions.
• CVE-2024-27127: Double free in “utilRequest.cgi” via the “delete_share” function.
• CVE-2024-27128: Stack overflow in the “check_email” function, accessible via the “share_file” and “send_share_mail” actions in “utilRequest.cgi”.
• CVE-2024-27129: Unsafe use of “strcpy” in the “get_tree” function of the “utilRequest.cgi” script.
• CVE-2024-27130: Unsafe use of “strcpy” in “No_Support_ACL”, accessible via the “get_file_size” function in “share.cgi”.
• CVE-2024-27131: Log spoofing through “x-forwarded-for”, allowing users to log downloads as requests from arbitrary sources.
• WT-2023-0050: Details undisclosed due to unexpectedly complex issues.
• WT-2024-0004: Persistent XSS via remote system log messages.
• WT-2024-0005: Persistent XSS via remote device discovery.
• WT-2024-0006: Lack of rate limiting in the authentication API.
• WT-2024-00XX: Details undisclosed.

These issues affect QTS, the operating system for QNAP’s NAS devices, QuTScloud, the QTS version optimized for virtual machines, and QTS hero, a specialized high-performance version.

QNAP’s Response

QNAP has addressed CVE-2023-50361 through CVE-2023-50364 in a security update released in April 2024, in QTS 5.1.6.2722 build 20240402 and later versions, and QTS hero h5.1.6.2734 build 20240414 and later versions.

All other vulnerabilities discovered by WatchTowr remain unaddressed, drawing significant criticism from experts for QNAP’s sluggish response.

Exploit for CVE-2024-27130

The CVE-2024-27130 vulnerability is caused by the unsafe use of the “strcpy” function in the “No_Support_ACL” function. This function is used by the “get_file_size” request in the “share.cgi” script when sharing media files with external users.

An attacker can craft a malicious request through a specially formed “name” parameter, leading to a buffer overflow and remote code execution. Exploiting CVE-2024-27130 requires a valid SSID parameter, which is generated when a file is shared by a QNAP NAS device user.

This parameter is included in the URL created on the device when sharing, and an attacker could use social engineering to obtain it. Moreover, users sometimes share these links online, making them discoverable through a simple Google search.

Although CVE-2024-27130 is not easy to exploit, the SSID parameter can be obtained with sufficient persistence from the attacker. As noted, WatchTowr specialists have published the exploit on GitHub, demonstrating how to create an account on a QNAP device and elevate its privileges.

QNAP has not yet commented on the technical report by WatchTowr Labs and the accusations of slow vulnerability remediation.