QNAP Systems has fixed a critical vulnerability (CVE-2022-27596) affecting QNAP Network Attached Storage (NAS) devices. This vulnerability could be exploited by a remote attacker to inject malicious code into a vulnerable system.
Fortunately for QNAP NAS owners, there is no mention of it being exploited by attackers or having exploits made public.
QNAP’s advisory does not provide details about CVE-2022-27596, but the vulnerability entry NIST’s National Vulnerability Database reveals that “improper disabling of special elements used in SQL commands” could allow this flaw to allow attackers to perform SQL injection attacks.
Successful exploitation could allow the attacker to access, modify or delete sensitive data.
This vulnerability affects QNAP devices running version 5.0.1 of the QTS operating system for entry and mid-level QNAP NAS devices and version h5.0.1 of QuTS hero, the OS for high-end and enterprise QNAP NAS models. affect. Fixed in:
- QTS 220.127.116.114 build 20221201 or later
- QuTS Hero h18.104.22.1688 build 20221215 or newer
Protect your NAS
“SQL injection has become a common problem on database-driven websites. This vulnerability is easy to detect and easy to exploit, so even sites with a minimal user base and software packages , this kind of attack could be attempted,” said MITER. pointed out.
QNAP NAS devices (and other widely used NAS devices) are often targeted by attackers. Wrong flavor of ransomwareZero-day vulnerabilities can also be exploited to load malware onto vulnerable Internet-connected devices, but they rely on exploiting known vulnerabilities and many users not updating their devices regularly. I don’t care.
There is no workaround for this flaw and QNAP advises users to update their appliances immediately.
Apart from that, the NAS device administrator should:
- Protect device admin accounts from password guessing and brute force attacks with unique, complex, long passwords and multi-factor authentication
- Block access to your device from the Internet (if you don’t need it) and restrict access to only certain IP ranges (such as home or business networks).
UPDATE (Feb 1, 2023 3:40 AM ET):
Sensis To tell At least 29,968 Internet-connected QNAP NAS devices may be affected by this vulnerability.