Two vulnerabilities in QNAP TS-231 firmware allow NAS takeover overname

Cybersecurity company SAM Seamless Network discovered two vulnerabilities in a QNAP NAS system. According to SAM, both vulnerabilities allow remote code execution. The company says that QNAP has been notified but has no solution.

According to SAM Seamless Network, all QNAP TS-231 systems with firmware version 4.3.6.1446 are at risk. This firmware was released on September 20, 2020, and the NAS system in question is listed as an end-of-life product on the QNAP website. The cybersecurity company does not rule out the possibility that other models with more recent firmware versions contain the same vulnerabilities.

In the first vulnerability, SAM discovered that it was possible to execute code on the QNAP NAS system’s cgi files that did not ask for authentication. “We focused on cgi files that didn’t ask for authentication and fired custom http requests at them, leading in some cases to indirect remote code execution,” the company said. According to SAM, QNAP can eliminate this vulnerability by applying input sanitization to key processes and API libraries.

The second vulnerability that SAM discovered takes place in the DLNA server of the NAS system. The DLNA protocol is executed by the nas as myupnpmediasvr on port 8200 and also handles upnp requests on that same port. According to SAM, it is therefore possible for hackers to create data at non-existing server locations and to execute code remotely on the NAS system.

After discovering the vulnerabilities, SAM immediately notified QNAP and complied with the standard agreed delay period before coming out with the news. QNAP has not yet acted on the vulnerabilities, according to the cybersecurity company.