There are security issues with QNAP’s NAS products that show when they come together they can potentially allow remote attackers to execute arbitrary commands on a system at administrator privilege level over the Internet.
Apart from pure network storage systems, this also affects QNAP Security’s VioStor video surveillance systems.
The holes, discovered by Tim Herres and David Elze of the Daimler TSS Offensive Security Team, first came to light in March. The testers reported the problems to CERT, but CERT was unable to find a QNAP Security representative who would respond to its attempts to explain the problem.
When the problem still existed two months later, the testers got in touch with others who were able to find a contact person at QNAP who then put together a first patch.
The integrated web server in VioStor and NAS devices makes a range of utility programs available in the cgi-bin/directory. This directory is password-protected to prevent unauthorized access: When someone attempts to gain access, the server will request a user name and password (HTTP Basic Authentication). The problem is that entering basic guest credentials will grant access to the directory, and a user cannot disable this functionality via the user interface.
Among the CGI programs that are accessible this way are the create_user.cgi script and, on some systems, pingping.cgi. The former allows potential attackers to create a new admin account (Cross-Site Request Forgery, CSRF), while the ping script enables attackers to inject arbitrary shell commands in such a way they will end up executed at root level.
Quite a few vulnerable QNAP systems are accessible on the Internet, but the situation in which arbitrary employees can gain access to a company’s network storage is likely also undesirable in any enterprise network. On top of that there is a possibility that during a break-in, intruders could simply connect a laptop to a network socket to delete any incriminating video footage from a VioStor surveillance system.
According to the Daimler TSS testers, QNAP VioStor network video recorders, at least up to firmware version 4.0.3, suffer from the issue. The sensitivity of the problem becomes apparent when you look at where these surveillance systems see use: Police and military agencies, banks, among others.
CERT released an advisory on the matter and rated CVE-2013-0141, CVE-2013-0142 and CVE-2013-0143 at the highest CVSS threat level of 10.
QNAP is currently working on the problems and will publish more information soon. Until then users should strictly control access to affected systems.