Unpatched QNAP storage devices exposed to ransomware
Censys, a security firm, has warned that up to 29,000 network storage devices manufactured by Taiwan-based QNAP are vulnerable to easily executed SQL injection attacks, granting complete control to unauthenticated Internet users.
The CVE-2022-27596 vulnerability is rated 9.8 out of a possible 10 on the CVSS scoring scale. There is an issue with QTS 5.0.1 and QuTS Hero h5.0.1. The bug’s impact, which was initially thought to expose 30,000 QNAP network-attached storage (NAS) devices to attack, was probably exaggerated. Researchers now believe the QNAP arbitrary code injection bug poses little risk to QNAP users, with a CVSS score of 9.8.
The vulnerability entry in NIST’s National Vulnerability Database reveals that the flaw may allow attackers to execute a SQL injection attack due to “improper neutralization of special elements used in a SQL command,” according to QNAP’s advisory.
According to Censys, the top ten countries with hosts running vulnerable versions of QNAP are the United States, Italy, Taiwan, Germany, Japan, France, Hong Kong, South Korea, the United Kingdom, and Poland. Furthermore, the researchers based their findings on what QNAP posted in its JSON-encoded attachment, as well as the NIST NVD advisory.
The exact technical details surrounding the flaw are unknown, but it has been classified as a SQL injection vulnerability by the NIST National Vulnerability Database (NVD). The injections allow for data modification, theft, or deletion, as well as gaining administrative control over the systems running the vulnerable apps.
QNAP issued patching instructions, but Censys research found that only 2% of the 67,415 devices had been patched, raising concerns that ransomware campaigns, such as the Deadbolt campaigns, could exploit this vulnerability and cause serious damage.
Users are advised to log in as an administrator to QTS or QuTS hero, navigate to Control Panel > System > Firmware Update, and select “Check for Update” under the “Live Update” section.
The sources for this piece include an article in ArsTechnica.