Hackers goal QNAP NAS units operating a number of firmware variations susceptible to a distant code execution (RCE) flaw addressed by the seller Three years in the past.

Hackers are scanning the Web for susceptible network-attached storage (NAS) units operating a number of QNAP firmware variations susceptible to a distant code execution (RCE) vulnerability addressed by the seller Three years in the past.

Based on a report printed by researchers at Qihoo 360’s Community Safety Analysis Lab (360 Netlab) the attackers are exploiting the distant command execution vulnerability as a consequence of a command injection challenge that resides within the firmware QNAP NAS units.

The researchers found that the difficulty resides within the CGI program


that’s used when person logout to pick the corresponding logout perform based mostly on the sector identify within the Cookie.

“The issue is QPS_SID, QMS_SID and QMMS_SID doesn’t filter particular characters and instantly calls the snprintf perform to splice curl command string and calls the system perform to run the string, thus making command injection attainable.” reads the report printed by 360 Netlab.

An unauthenticated, distant attacker may exploit the flaw to realize authentication utilizing the authLogout.cgi executable as a result of it doesn’t filter out particular characters from the enter earlier than invoking the system perform to run the command string. This habits makes attainable command injection and permits for distant code execution.

Researchers warn of attacks by QNAP NAS in wild security matters

360 Netlab’s researchers reported the flaw to QNAP PSIRT on Might 13, and on August 12 the seller confirmed that the difficulty has been addressed in a earlier safety replace, however that there nonetheless are QNAP NAS units on-line that need to be upgraded.

QNAP addressed the vulnerability with the discharge of firmware model 4.3.Three on July 21, 2017. The repair proposed by the seller change the perform used to run the command strings.

“This launch changed the system perform with qnap_exec, and the qnap_exec perform is outlined within the /usr/lib/libuLinux_Util.so.0,” continues 360 Netlab. “By utilizing the execv to execute customized command, command injection has been prevented.”

The researchers observed that two attackers IP, and, have been utilizing the identical payload downloaded with a wget file after profitable exploits.

360 Netlab identified that attackers didn’t totally automate the assault utilizing a botnet, on the time their true objective continues to be a thriller.

“We suggest that QNAP NAS customers verify and replace their firmwares in a well timed method and likewise verify for irregular processes and community connections,” the researchers conclude.

The report printed by 360 Netlab consists of indicators of compromise (IoCs) together with the listing of all affected QNAP firmware variations.

In early August, the Taiwanese firm urged its customers to replace the Malware Remover app to stop NAS units from being contaminated by the QSnatch malware.

The USA Cybersecurity and Infrastructure Safety Company (CISA) and the UK’s Nationwide Cyber Safety Centre (NCSC) additionally issued a joint advisory a few large ongoing marketing campaign spreading the QSnatch data-stealing malware.

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP NAS)



qnap malware remover,qnap security counselor,mr1902,qnap full factory reset,qnap security advisory,synology malware,qnap nas virus protection,qnap diskless nas,qnap nas os version,qnap qumagie manual,virus on qnap,qnap malware remover error 126,qnap malware remover logs