QNAP devices found to have critical code injection vulnerability

02.02.23

Threat Intelligence Alerts

Description:

A code injection vulnerability with a critical severity rating has been found within QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. QNAP warns in a security advisory that the vulnerability, tracked as CVE-2022-27596, has a CVSSv3 base score of 9.8, meaning a malicious actor could exploit the vulnerability without needing any privileges or user interaction. The National Vulnerability Database’s page on this describes this bug as an SQL injection vulnerability, meaning if it were to be exploited, a threat actor would be able to gain access to the underlying SQL database of the QNAP device, which may contain sensitive user information.

Researchers at Censys have found that potentially 98% of all internet-exposed QNAP devices are vulnerable to this attack, with only a little over 550 devices running a patched version of the software.

As SQL injection attacks can be highly damaging and reveal a significant amount of sensitive information if exploited, it is highly recommended to patch any vulnerable QNAP devices as soon as possible, especially if the device is internet-facing.

QNAP has given the following steps to update QTS or QuTS hero:

QTS or QuTS hero downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and perform a manual update for your device.

Related Links:

https://www.qnap.com/en/security-advisory/qsa-23-01 – Published January 30th

https://www.bleepingcomputer.com/news/security/qnap-fixes-critical-bug-letting-hackers-inject-malicious-code/ – Published January 30^th

https://www.bleepingcomputer.com/news/security/over-29-000-qnap-devices-vulnerable-to-code-injection-attacks/ – Published January 31^st

https://nvd.nist.gov/vuln/detail/CVE-2022-27596 – Published 29th January