QNAP Security Nightmare: 11 Unpatched Flaws Expose NAS Devices to Cyber Threats

Peekaboo, hackers! QNAP’s QTS is like Swiss cheese, with 15 holes and only 4 corks! Ready for some remote high-jinks? CVE-2024-27130 awaits! 🧀💻🕵️‍♂️ #QTSVulnerabilities

Hot Take:

Looks like QNAP’s QTS is playing Whack-A-Mole with vulnerabilities, and the moles are winning 11 to 4. If NAS devices were pinatas, this audit was a kid with a baseball bat. And now, thanks to WatchTowr Labs, we’ve got a front-row seat to this cybersecurity piñata party. But don’t grab your candy bag yet—some of these sweets come with a bitter aftertaste of unchecked bugs and potential system hijacks.

Key Points:

  • WatchTowr Labs uncovered a NAS-ty situation with fifteen vulnerabilities in QNAP’s QTS operating system.
  • QNAP has patched up just four vulnerabilities, leaving eleven to party like it’s 1999 (if 1999 had modern cyber threats).
  • One standout vulnerability, CVE-2024-27130, is a stack buffer overflow that could lead to remote code execution.
  • Exploiting CVE-2024-27130 requires a valid ‘ssid’, which is like a golden ticket for attackers if they can sweet-talk their way to it.
  • WatchTowr’s proof of concept for CVE-2024-27130 is like a recipe for disaster cookies—bake at your own risk.
Title: QTS, QuTS hero
Cve id: CVE-2023-50364
Cve state: PUBLISHED
Cve assigner short name: qnap
Cve date updated: 05/09/2024
Cve description: A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Title: QTS, QuTS hero
Cve id: CVE-2023-50363
Cve state: PUBLISHED
Cve assigner short name: qnap
Cve date updated: 04/26/2024
Cve description: An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to bypass intended access restrictions via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Title: QTS, QuTS hero
Cve id: CVE-2024-27128
Cve state: PUBLISHED
Cve assigner short name: qnap
Cve date updated: 05/21/2024
Cve description: A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Title: QTS, QuTS hero
Cve id: CVE-2024-27127
Cve state: PUBLISHED
Cve assigner short name: qnap
Cve date updated: 05/21/2024
Cve description: A double free vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute arbitrary code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Title: QTS, QuTS hero
Cve id: CVE-2023-50362
Cve state: PUBLISHED
Cve assigner short name: qnap
Cve date updated: 04/26/2024
Cve description: A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Title: QTS, QuTS hero
Cve id: CVE-2024-27130
Cve state: PUBLISHED
Cve assigner short name: qnap
Cve date updated: 05/21/2024
Cve description: A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Title: QTS, QuTS hero
Cve id: CVE-2024-21902
Cve state: PUBLISHED
Cve assigner short name: qnap
Cve date updated: 05/21/2024
Cve description: An incorrect permission assignment for critical resource vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Title: QTS, QuTS hero
Cve id: CVE-2023-50361
Cve state: PUBLISHED
Cve assigner short name: qnap
Cve date updated: 04/26/2024
Cve description: A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Title: QTS, QuTS hero
Cve id: CVE-2024-27129
Cve state: PUBLISHED
Cve assigner short name: qnap
Cve date updated: 05/21/2024
Cve description: A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Need to know more?

The Hall of Infamous Bugs

Cybersecurity researchers at WatchTowr Labs didn't just stumble upon a couple of bugs; they hit the vulnerability jackpot. From buffer overflows to authentication bypasses, it's like they found the cheat codes to the QNAP QTS operating system. Some of the most 'impressive' bugs include unsafe use of functions that sound like they should be in a developer's hall of shame and missing authentication that's like leaving your front door wide open with a sign saying "Come on in!"

Patching Up the Leaks... Sort Of

QNAP wasn't totally asleep at the wheel—they did manage to patch four out of the fifteen vulnerabilities. It's like they're playing a game of cybersecurity whack-a-mole, except they're using a Q-tip instead of a mallet. The patched flaws are like the minor characters in a horror movie; they get taken out early while the main villains keep causing chaos.

The Star of the Show: CVE-2024-27130

Every horror movie has its star, and in this case, it's CVE-2024-27130. This particular bug is the headliner—the one that gets its name on the cybersecurity equivalent of a Hollywood Walk of Fame star. It's a classic tale of 'strcpy' gone wild, leading to a potential remote code execution performance that nobody asked for. The only thing missing is a dramatic soundtrack and popcorn.

Exploit Blockbuster Premier

WatchTowr didn't just drop the news; they premiered a proof of concept exploit that's more explosive than a summer blockbuster hit. This exploit is like a DIY kit for the ambitious hacker: it shows how to create an account and get it VIP access to the sudoers list. It's like giving a burglar the keys to the bank vault and a map of where the cameras don't reach.

QNAP's Silent Treatment

When BleepingComputer reached out to QNAP for a comment, they got the silent treatment. It's like calling out someone who spilled their drink at a party and watching them slowly back away into the crowd. Maybe QNAP is planning a surprise comeback, or maybe they're just hoping everyone will get distracted by the next big thing in cybersecurity drama. Only time will tell.

Tags: buffer overflow, CVE-2024-27130, NAS security flaws, Network-Attached Storage, Proof-of-Concept Exploit, QNAP vulnerabilities, Remote Code Execution