1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • A benchmark test uncovered some critical vulnerabilities in thous

    From TechnologyDaily@1337:1/100 to All on Wed Apr 5 11:45:04 2023
    A benchmark test uncovered some critical vulnerabilities in thousands of QNAP devices

    Date:
    Wed, 05 Apr 2023 10:32:32 +0000

    Description:
    Two zero-days discovered affecting some 80,000 QNAP NAS devices.

    FULL STORY ======================================================================

    Tens of thousands of internet-connected QNAP devices were found to be
    carrying two severe vulnerabilities which could have allowed threat actors to execute arbitrary code.

    Cybersecurity researchers from Sternum used their runtime protection
    benchmark product on QNAP TS-230 NAS device , and as soon as the product was activated, it started alerting the researchers to multiple memory access violations.

    In this case, the reason for the alert was multiple out-of-bounds read and write requests, performed by several memcpy functions, the researchers explained. Out of bounds issues

    Detailing their findings, the researchers said that in the source file api-cpp, the int iface_status2interface_status function contained a memcpy call with a constant size of 46, but as the source string content for the
    call was an IPv6 address (which can have 39 bytes max), this leads to a potential out-of-bounds (OOB) issue.

    Furthermore, the NetworkInterface.cpp source file has the get_interface_slaac_info function with four memcpy calls with the copy size 46, which copies JSON values from buffers returned by Json::Value::asCString. The string buffers were often shorter than 46, the researcher said, which causes potential OOB issues in all four memcpy calls. Read more

    Sorry QNAP customers, you're under attack again


    QNAP calls on users to update NAS devices immediately


    These are the best firewalls

    After notifying QNAP of their findings, the company acknowledged the issues and released two CVEs: CVE-2022-27597, and CVE-2022-27598. These show that
    the flaws affected four operating systems: QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances). The severity scores for these two vulnerabilities have not yet been assigned.

    By conservative estimate, Sternum says, more than 80,000 connected devices worldwide are affected by these two zero-day vulnerabilities.

    The patch that QNAP released already fixed the flaws in QTS 5.0.1.2346 build 20230322 (and later), and QuTS hero h5.0.1.2348 build 20230324 (and later). These are the best endpoint protection software around



    ======================================================================
    Link to news story: https://www.techradar.com/news/a-benchmark-test-uncovered-some-critical-vulner abilities-in-thousands-of-qnap-devices


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)