QNAP releases firmware patches for 9 vulnerabilities in video surveillance systems and NAS devices
by Tina Siering
Taiwanese manufacturer QNAP has released a series of security updates for vulnerabilities, including one that the company classifies as critical.
"A vulnerability has been reported that affects QNAP VS Series NVR with QVR," QNAP said in a statement. "If this vulnerability is exploited, remote attackers can execute arbitrary commands." The VS Series NVR video surveillance system and various models of network-attached storage (NAS) devices are affected. QNAP administrators should apply the provided updates promptly.
The latest vulnerability in the video surveillance system is listed as CVE-2022-27588 (CVSS score: 9.8) and has been fixed in QVR 5.1.6 build 20220401 and higher.
QNAP is also fixing other vulnerabilities rated as "medium" and "high" in the operating system and software of NAS devices: The QTS, QuTS hero and QuTScloud systems as well as Photo Station and Video Station are affected. Attackers could execute their own commands on the devices and compromise the security of systems.
The manufacturer's warning messages linked below contain information about the secured versions of all affected devices:
- CVE-2022-27588 (CVSS score: 9.8).
This critical vulnerability has been fixed in QVR 5.1.6 build 20220401 and above. It was reported by the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). It is considered to be particularly severe because the vulnerability can be used to inject malicious code onto the system.
Recommended action:
In its warning message, the company itself classifies this vulnerability as critical. Attackers could remotely load malicious code onto affected devices. Please make sure that your devices are not affected and perform the recommended updates.
Path traversal vulnerability in thttpd:
- CVE-2021-38693 (CVSS score: 5.3)
A path traversal vulnerability in thttpd affecting QNAP devices running QTS, QuTS hero, QuTScloud, and QVR Pro Appliance resulting in information disclosure.
Vulnerability in Photo Station:
- CVE-2021-44057 (CVSS score: 7.1)
An authentication vulnerability in QNAP devices running Photo Station that could lead to system compromise.
Multiple vulnerabilities in QTS, QuTS hero, and QuTScloud:
- CVE-2021-44051 (CVSS score: 8.8)
A vulnerability in QNAP devices running QTS, QuTS hero, and QuTScloud that allows execution of arbitrary commands.
- CVE-2021-44052 (CVSS score: 6.5)
Improper link resolution before file access ("link following") in QNAP devices running QTS, QuTS hero, and QuTScloud, allowing attackers to read/write files in arbitrary locations.
- CVE-2021-44053 (CVSS score: 5.7)
A cross-site scripting (XSS) vulnerability in QNAP devices running QTS, QuTS hero, and QuTScloud that leads to code injection.
- CVE-2021-44054 (CVSS score: 4.3).
An open redirection vulnerability in QNAP devices running QTS, QuTS hero, and QuTScloud that allows redirecting users to rogue websites.
Multiple vulnerabilities in Video Station:
- CVE-2021-44055 (CVSS score: 5.3).
A missing authorization vulnerability in QNAP devices running Video Station that allows attackers to access data or perform unauthorized actions
- CVE-2021-44056 (CVSS score: 7.1)
An unauthorized authentication vulnerability in QNAP devices running Video Station, which could lead to system compromise
The required updates are available in QNAP's download center.