Cybersecurity researchers have discovered two severe vulnerabilities in QNAP devices that could allow hackers to execute arbitrary code. The researchers from Sternum used their runtime protection benchmark product on a QNAP TS-230 NAS device, and as soon as the product was activated, it started alerting them to “multiple memory access violations”. The researchers explained that the alert was caused by multiple out-of-bounds read and write requests performed by several memcpy functions. More than 80,000 connected devices worldwide are affected by these vulnerabilities.
Specifically, the CVE-2022-27597 and CVE-2022-27598 vulnerabilities affect four operating systems: QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances). QNAP has released a patch that fixes the flaws in QTS 5.0.1.2346 build 20230322 (and later) and QuTS hero h5.0.1.2348 build 20230324 (and later). After Sternum reported the vulnerabilities, QNAP acknowledged the issues and released the CVEs. The severity scores for these two vulnerabilities have not yet been assigned.
Also Read:
The researchers from Sternum stated that in the source file api-cpp, the int iface_status2interface_status function contained a memcpy call with a constant size of 46, but as the source string content for the call was an IPv6 address (which can have 39 bytes max), this leads to a potential out-of-bounds issue. Moreover, the NetworkInterface.cpp source file has the get_interface_slaac_info function with four memcpy calls with the copy size 46, which copies JSON values from buffers returned by Json::Value::asCString. The string buffers were often shorter than 46, which causes potential out-of-bounds issues in all four memcpy calls.
QNAP devices, which range from small home servers to large business data storage devices, are widely used around the world. The discovery of these vulnerabilities and their potential exploitation highlights the importance of device security and the necessity of updates.
Also Read:
This discovery comes amid an increasingly volatile cybersecurity landscape, marked by an increase in cyber attacks targeting valuable data in both private and public sectors. This year, cyber attacks have brought down major companies, caused global supply chain disruptions, and even delayed elections. Research has shown that organizations are experiencing more cyber attacks than ever before, with small businesses being hit the hardest.
While it is essential to take cybersecurity measures to protect the confidentiality, integrity, and availability of data, it is equally important to stay vigilant and keep up with the latest threats and vulnerabilities. This is especially true for connected devices, which are being used more frequently than ever before. With the rise of the Internet of Things (IoT), devices will continue to become more connected, which will increase the potential risk of hacking.
Also Read:
As QNAP has released a patch that fixes the vulnerabilities, users are encouraged to update their devices as soon as possible. In general, it is good practice to ensure that all devices and software are updated regularly to maintain security. In conclusion, the discovery of these vulnerabilities in QNAP devices underscores the importance of cybersecurity and serves as a reminder to always prioritize security measures.
In Other News Around the World: