EN
Overkill Security
Overkill Security
113 subscribers
Jul 19 07:00

CVE-2024-27130 in QNAP: When 'Secure' is Just a Marketing Term

The article "QNAP QTS - QNAPping At The Wheel (CVE-2024-27130 and friends)" from WatchTowr Labs provides a detailed analysis of several vulnerabilities found in QNAP NAS devices.
CVE-2024-27130. Stack Buffer Overflow in share.cgi: The vulnerability arises from the unsafe use of the strcpy function in the No_Support_ACL function, which is accessible via the get_file_size function in share.cgi. This leads to a stack buffer overflow, which can be exploited to achieve Remote Code Execution (RCE).
Attack Scenario:
📌Step 1: Initial Access: An attacker needs a valid NAS user account to exploit this vulnerability. This could be achieved through phishing, credential stuffing, or exploiting another vulnerability to gain initial access.
📌Step 2: File Sharing: The attacker shares a file with an untrusted user. This action triggers the get_file_size function in share.cgi.
📌Step 3: Exploitation: The get_file_size function calls No_Support_ACL, which uses strcpy unsafely, leading to a stack buffer overflow. The attacker crafts a payload that overflows the buffer and injects malicious code.
📌Step 4: Remote Code Execution: The overflowed buffer allows the attacker to execute arbitrary code on the NAS device, potentially gaining full control over the system.
Related Vulnerabilities
📌CVE-2024-27129: Unsafe use of strcpy in the get_tree function of utilRequest.cgi leading to a static buffer overflow and RCE with a requirement of a valid account on the NAS device.
📌CVE-2024-27131: Log spoofing via x-forwarded-for allows users to cause downloads to be recorded as requested from an arbitrary source location with a requirement of the ability to download a file.
📌WT-2024-0004: Stored XSS via remote syslog messages with a requirement of a non-default configuration.
📌WT-2024-0005: Stored XSS via remote device discovery with no requirements
📌WT-2024-0006: Lack of rate-limiting on the authentication API with no requirements
Mitigation and Patching
📌Patches Available: The first four vulnerabilities (CVE-2024-27129, CVE-2024-27130, CVE-2024-27131, and WT-2024-0004) have been patched in the following versions: QTS 5.1.6.2722 build 20240402 and later, QuTS hero h5.1.6.2734 build 20240414 and later
📌Vendor Response: The vendor has acknowledged the vulnerabilities and has been working on fixes, although some issues remain under extended embargo due to their complexity.
news
cve-2024-27130
stack overflow
buffer overflow
cve-2024-27129
cve-2024-27131
wt-2024-0004
wt-2024-0005
wt-2024-0006
xss
Creator has disabled comments for this post.
Go to all posts

Subscription levels

Regular Reader

$ 17,3$ 8,7 per month
50%
Ideal for casual regular who are interested in staying informed about the latest trends and updates in the cybersecurity world
avatar
50% discount for a limited time until the end of this month.

Pro Reader

$ 35 per month
Designed for IT professionals, cybersecurity experts, and enthusiasts who seek deeper insights and more comprehensive resources. + Q&A
Go up