Two zero-day vulnerabilities have been discovered in several Quality Network Appliance Provider (QNAP) operating systems (OS) for network attached storage (NAS) appliances, affecting approximately 80,000 devices globally. The vulnerabilities, which are yet to be patched for two of the four impacted OS, were identified by researchers at Sternum. QNAP offers hardware and software solutions for Internet of Things (IoT) storage, networking, and smart video. The OS bugs identified are memory access violations that could lead to unstable code and provide a pathway for an authenticated cybercriminal to execute arbitrary code. The vulnerabilities, tracked under CVE-2022-27597 and CVE-2022-27598, impact QTS, QuTS hero, QuTScloud, and QVP OS. Patches have been issued for QTS version 22.214.171.1246 build 20230322 (and later) and QuTS hero version h126.96.36.1998 build 20230324 (and later), while QuTScloud and QVP OS remain unpatched. QNAP has stated that it is "urgently fixing" the flaws.
Sternum researchers explain that the memory access violations not only affect the security but also the performance of the QNAP devices. Amit Serper, Sternum's director of security of research, states, "From a performance point of view, they could lead to stability issues and unpredictable code behavior. From a security perspective, they can be used for arbitrary code execution by a malicious threat actor." The QNAP security advisory adds, "If exploited, the vulnerability allows remote authenticated users to get secret values." Although the bugs are classified as "low-severity," and Sternum's researchers have not observed them being exploited in the wild, it is crucial to implement a patch promptly, as QNAP users are a popular target for cybercriminals.
The DeadBolt ransomware group has been seen exploiting a range of zero-day vulnerabilities in multiple cyber campaigns against QNAP users in 2022, with incidents occurring in May, June, and September. Mark Parkin, senior technical engineer with Vulcan Cyber, notes that DeadBolt is determined to find and exploit QNAP flaws, particularly critical zero-days. He explains, "It's sometimes said that finding one vulnerability in a target will lead people into looking for more. The issue here is that they are finding more as they look. It almost makes you wonder if the attackers don't have access to the source code, or some other way to get an inside track."
Organizations must ensure that their highly targeted QNAP systems are up to date, especially given the frequent discovery of new vulnerabilities. In addition to Sternum's recent findings, QNAP QTS OS users were alerted to a critical SQL injection issue with a CVSS score of 9.8 in February. To address the latest vulnerabilities, users with systems lacking an available patch should use a robust endpoint detection and response (EDR) solution and look for indicators of compromise. As cyberattackers need to be authenticated, auditing access to vulnerable systems and implementing additional authentication protection could help mitigate an attack. Bud Broomhead, CEO of Viakoo, warns that securing the appliances may require a change in mindset for some companies, as QNAP devices are often misconfigured, unprotected by firewalls, and unpatched. He adds, "These devices often are invisible to corporate IT and security teams and do not get audited or observed when they fall out of compliance, such as by being on out-of-date and insecure firmware."