QNAP releases security patch for high-severity vulnerability

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity level: High – Compromise may result in the loss of confidentiality and integrity of data in the first instance.

QNAP has released a security patch relating to a high-severity vulnerability, tracked as CVE-2023-22809 (CVSSv3 Score: 7.8). The security flaw pertains to a Sudo privilege escalation issue in QNAP Linux Network-Attached Storage (NAS) devices. The vulnerability exists as a result of a user-specified editor containing a “–” argument that defeats an associated protection mechanism.

QNAP’s security advisory has not classified the vulnerability as being actively exploited in the wild.

Impact

Successful exploitation of CVE-2023-22809 could allow threat actors to add arbitrary entries to the list of unauthorised files, which could lead to privilege escalation capabilities.

Vulnerability Detection

QNAP has patched the vulnerability for the respective products. As such, previous versions are vulnerable to potential exploit.

Affected Products

– Sudo versions 1.8.0 – 1.9.12p1

The vulnerability also affects the following NAS operating systems:

– QTS
– QuTS hero
– QuTScloud
– QVP (QVR Pro appliances).

Containment, Mitigations & Remediations

It is strongly recommended that the relevant operating system updates are applied as soon as they are available.

QNAP has addressed the security flaw in the QTS and QuTS hero platforms. However a fix regarding the QuTScloud and QVP operating systems is still in development as of the time of writing.

To update the QTS, QuTS hero, and QuTScloud operating systems, follow the steps below:

– Select the “Check for Update” option under the “Live Update” section after logging in as the admin user
– Navigate to “Control Panel”
– Select “System”
– Select “Firmware Update”.

Alternatively, users can manually apply the firmware update after downloading it from QNAP’s Download Centre after selecting their device’s product type and model.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

QNAP NAS devices have recently been targeted by DeadBolt and eCh0raix ransomware campaigns where the respective operators abused the associated vulnerabilities to encrypt data on Internet-exposed devices.

QNAP currently has approximately half of the NAS market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, QNAP NAS systems have become a prime target. Due to the fact that NAS systems are an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within these devices in an attempt to extract the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic:

TA0004 – Privilege Escalation

Further Information

QNAP Security Advisory
Synacktiv Security Advisory