The network-attached storage (NAS) device maker QNAP has warned customers about a critical remote code injection vulnerability affecting devices running QTS or QuTS hero firmware and has urged users to update the firmware immediately to prevent exploitation of the flaw, which has been assigned a CVSS severity score of 9.8/10
The vulnerability, tracked as CVE-2022-27596, can be exploited remotely on Internet-exposed QNAP devices without any user interaction in a low-complexity attack. . Currently there is no proof-of-concept exploit for the vulnerability in the public domain, but if a PoC is published and weaponized, large numbers of devices could be compromised.
The vulnerability does not appear to have been exploited in the wild at present, but NAS devices have a history of being targeted by ransomware gangs and exploitation is likely if the firmware is not upgraded. Ransomware gangs known to have attacked NAS devices include Deadbolt, Qlocker, Agelocker, QSnatch, Checkmate, and Muhstik.
Scans conducted by Censys indicate there are approximately 60,000 QNAP devices in use that are exposed to the Internet, yet at the time of the security advisory, only a tiny percentage had been patched. Censys was able to obtain the firmware version on just under half of those devices, and only 550 were running the patched firmware, which suggests more than 29,000 QNAP devices have yet to be patched and are vulnerable to attack.
The vulnerability affects QNAP devices running QTS 5.0.1 or QuTS hero h5.0.1 firmware and has been fixed in QTS 220.127.116.114 build 20221201 or later and QuTS hero h18.104.22.1688 build 20221215 or later. In addition to updating the firmware, QNAP recommends customers take steps to improve security to protect against the exploitation of vulnerabilities in the future. If possible, QNAP devices should not be exposed to the Internet. Customers should also consider disabling the Port Forwarding function of the router, changing the system port number, disabling the UPnP function of the QNAP NAS, changing passwords, enabling IP and account access protection, and toggling off SSH and Telnet connections.
Customers can update the firmware via the QNAP website download center or by logging into their QTS QuTS as an administrator and checking for updates in Control Panel > System > Firmware.