The security of your data stored on QNAP devices is imperative, and a recently discovered critical vulnerability could put it at risk. In this advisory, we will discuss the details of the vulnerability, the potential risk, and the recommendations to keep your data safe.

QNAP, a vendor of Network-Attached Storage (NAS) devices, has warned its customers of a critical security vulnerability in its devices that could allow remote attackers to inject malicious code. The vulnerability, tracked as CVE-2022-27596, is rated as critical with a CVSS v3 score of 9.8 and impacts the QTS 5.0.1 and QuTS hero h5.0.1 versions of the operating system.

What is the Threat?

The vulnerability reported in QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1 is a SQL injection flaw, allowing attackers to send specially crafted requests to modify legitimate SQL queries and perform unexpected behavior. The vulnerability is exploitable in low-complexity attacks by remote attackers without requiring user interaction or privileges on the targeted device.

Why is it Noteworthy?

The severity of the vulnerability cannot be ignored as it is exploitable without any user interaction or privileges on the targeted device. Furthermore, QNAP devices are already the target of ongoing ransomware campaigns known as DeadBolt and eCh0raix, which abuse vulnerabilities to encrypt data on exposed NAS devices.

What is the Exposure or Risk?

The risk of exposure is high, as remote attackers can exploit the vulnerability to inject malicious code on the QNAP devices. The malicious code could compromise the data stored on the devices and expose it to cybercriminals. Additionally, the malicious code could also be used to encrypt data and hold it for ransom.

What are the Recommendations?

To remain safe, QNAP users should upgrade their devices to the following versions:

• QTS 5.0.1.2234 build 20221201 and later

• QuTS hero h5.0.1.2248 build 20221215 and later

To perform the update, customers can log into their devices as the admin user and go to "Control Panel → System → Firmware Update." Under the "Live Update" section, click the "Check for Update" option and wait for the download and installation to complete. Alternatively, QNAP users may download the update from QNAP's Download Center (https://www.qnap.com/en/download) after selecting the correct product type and model and applying it manually on their devices.

Due to the flaw's severity, users are recommended to apply available security updates as soon as possible, as threat actors actively target QNAP vulnerabilities.

References

• QNAP security advisory: https://www.qnap.com/en/security-advisory/qsa-23-01

• NIST portal: https://nvd.nist.gov/vuln/detail/CVE-2022-27596