Attacker Value
High
CVE-2020-2509
CVE-2020-2509
(Last updated November 15, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Description
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later
Add Assessment
2
Technical Analysis
Not sure this is the vuln (and I can’t test it), but it stood out to me because the exec_mount() function no longer calls popen(3)… or much of anything else:
int32_t exec_mount(int32_t a1, int32_t a2, int32_t a3, int32_t a4, int32_t a5, int32_t a6) { - int32_t str3; - memset(&str3, 0, (int32_t)&g2); - int32_t str4; - memset(&str4, 0, (int32_t)&g1); - sprintf((char *)&str3, "mount.cifs -o \"username=%s,password=\"%s\",soft,iocharset=utf8,%s%s\" %s %s 2>&1", (char *)a3, (char *)a4, (char *)a5, (char *)a6, (char *)a1, (char *)a2); - struct _IO_FILE * stream = popen((char *)&str3, "r"); - char * str = fgets((char *)&str4, (int32_t)&g265, stream); - int32_t result = 0; - if (str != NULL) { - while (strstr((char *)&str4, (char *)((int32_t)&g177 + 0x109d4)) == NULL) { - char * str2 = fgets((char *)&str4, (int32_t)&g265, stream); - result = -1; - if (str2 == NULL) { - goto lab_0x10a14; - } - } - char * found_char_pos = strchr((char *)&str4, 40); - result = -13; - if (found_char_pos != NULL) { - char * str5 = (char *)((int32_t)found_char_pos + 1); - *strchr(str5, 41) = 0; - sscanf(str5, "%d"); - result = -1; - } - } - lab_0x10a14: - if (stream != NULL) { - pclose(stream); - } - return result; + int32_t str; + memset(&str, 0, (int32_t)&g2); + sprintf((char *)&str, "mount.cifs -o \"username=%s,password=\"%s\",soft,iocharset=utf8,%s%s\" %s %s 2>&1", (char *)a3, (char *)a4, (char *)a5, (char *)a6, (char *)a1, (char *)a2); + return 0; }
The CIFS_Mount_Speed() function no longer calls system(3) either:
int32_t CIFS_Mount_Speed(int32_t a1, int32_t a2, int32_t a3, int32_t a4) { int32_t str; memset(&str, 0, (int32_t)&g1); int32_t str2; - memset(&str2, 0, (int32_t)&g83); + memset(&str2, 0, (int32_t)&g82); int32_t v1 = 0; int32_t v2; - memset(&v2, 0, (int32_t)&g80); + memset(&v2, 0, (int32_t)&g79); int32_t v3; memset(&v3, 0, 128); int32_t v4; function_3a18((int32_t)((char)v4 == 47) + a2, &v1); int32_t v5; function_3a18(a3, &v5); function_3a18(a4, &v3); char * v6 = (char *)a1; sprintf((char *)&str, "//%s/%s", v6, &v1); sprintf((char *)&str2, "%s/%s/%s/%s", "/mnt/RTRR_CIFS", v6, &v3, &v1); int32_t str3; sprintf((char *)&str3, "mkdir -p %s", &str2); - system((char *)&str3); int32_t v7; - memcpy(&v7, (int32_t *)((int32_t)&g169 + 0x10bb0), (int32_t)&g90); + memcpy(&v7, (int32_t *)((int32_t)&g158 + 0x10a7c), (int32_t)&g89); int32_t v8; - memcpy(&v8, (int32_t *)((int32_t)&g169 + 0x10df0), 128); + memcpy(&v8, (int32_t *)((int32_t)&g158 + 0x10cbc), 128); int32_t v9 = &v7; int32_t v10 = function_3e20(&str, &str2, a4, &v5, v9, &v8); int32_t result = 0; while (v10 != 0) { int32_t v11; int32_t v12 = function_3e20(&str, &str2, a4, &v5, v9, &v11); result = 0; if (v12 == 0) { break; } v9 += 64; if (v9 == (int32_t)&v5) { result = -v12; return result; } v10 = function_3e20(&str, &str2, a4, &v5, v9, &v8); result = 0; } - lab_0x10c7c: + lab_0x10b6c: return result; }
function_3e20() above is actually exec_mount(). Sorry about that.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High
General Information
Vendors
- qnap
Products
- qts,
- qts 4.2.6,
- qts 4.3.3.0174,
- qts 4.3.3.0868,
- qts 4.3.3.0998,
- qts 4.3.3.1051,
- qts 4.3.3.1098,
- qts 4.3.3.1161,
- qts 4.3.3.1252,
- qts 4.3.3.1315,
- qts 4.3.3.1386,
- qts 4.3.3.1432,
- qts 4.3.4.0358,
- qts 4.3.4.0370,
- qts 4.3.4.0372,
- qts 4.3.4.0374,
- qts 4.3.4.0387,
- qts 4.3.4.0411,
- qts 4.3.4.0416,
- qts 4.3.4.0427,
- qts 4.3.4.0434,
- qts 4.3.4.0435,
- qts 4.3.4.0451,
- qts 4.3.4.0483,
- qts 4.3.4.0486,
- qts 4.3.4.0506,
- qts 4.3.4.0516,
- qts 4.3.4.0526,
- qts 4.3.4.0551,
- qts 4.3.4.0557,
- qts 4.3.4.0561,
- qts 4.3.4.0569,
- qts 4.3.4.0593,
- qts 4.3.4.0597,
- qts 4.3.4.0604,
- qts 4.3.4.0899,
- qts 4.3.4.1029,
- qts 4.3.4.1082,
- qts 4.3.4.1190,
- qts 4.3.4.1282,
- qts 4.3.4.1368,
- qts 4.3.4.1417,
- qts 4.3.4.1463,
- qts 4.3.6,
- qts 4.3.6.0895,
- qts 4.3.6.0907,
- qts 4.3.6.0923,
- qts 4.3.6.0944,
- qts 4.3.6.0959,
- qts 4.3.6.0979,
- qts 4.3.6.0993,
- qts 4.3.6.1013,
- qts 4.3.6.1033,
- qts 4.3.6.1070,
- qts 4.3.6.1154,
- qts 4.3.6.1218,
- qts 4.3.6.1263,
- qts 4.3.6.1286,
- qts 4.3.6.1333,
- qts 4.3.6.1411,
- qts 4.3.6.1446,
- qts 4.5.1,
- qts 4.5.1.1456,
- qts 4.5.1.1461,
- qts 4.5.1.1465,
- qts 4.5.1.1480,
- qts 4.5.2,
- quts hero,
- quts hero h4.5.1,
- quts hero h4.5.1.1472
Exploited in the Wild
References
Miscellaneous
