June 29, 2022

NAS system maker QNAP launched software program updates for its network-attached storage (NAS) merchandise on Friday. Whereas this up to date software program package deal is targeted on patching a number of safety flaws. All these flaws might allow the menace actors to get entry and steal delicate information.

Amongst all of the detected vulnerabilities, there’s one that might enable the menace actors to take management of a compromised system, and it’s tracked as “CVE-2022-27588” with a CVSS rating of 9.8.

Whereas the QVR 5.1.6 construct 20220401 and later variations are mentioned to have patched this vulnerability. Within the occasion of exploitation of this critical vulnerability, a distant attacker would have the ability to execute arbitrary instructions on a QVR system that was weak.

EHA

Among the many video surveillance options QNAP provides, QVR is certainly one of them. QVR is a video surveillance system that runs on QNAP gadgets and isn’t depending on any extra software program.

Flaws Detected

In complete, the cybersecurity specialists have detected 9 vulnerabilities and right here under now we have listed all of them:-

  • CVE ID: CVE-2022-27588
  • CVSS rating: 9.8
  • Abstract: A vulnerability has been reported to have an effect on QNAP VS Collection NVR working QVR. If exploited, this vulnerability permits distant attackers to run arbitrary instructions.
  • CVE ID: CVE-2021-44051
  • CVSS rating: 8.8
  • Abstract: A command injection vulnerability in QNAP gadgets working QTS, QuTS hero, and QuTScloud, leading to arbitrary command execution.
  • CVE ID: CVE-2021-38693
  • CVSS rating: 5.3
  • Abstract: A path traversal vulnerability in thttpd affecting QNAP gadgets working QTS, QuTS hero, QuTScloud, and QVR Professional Equipment, resulting in info disclosure.
  • CVE ID: CVE-2021-44052
  • CVSS rating: 6.5
  • Abstract: An improper hyperlink decision earlier than file entry (“hyperlink following”) vulnerability in QNAP gadgets working QTS, QuTS hero, and QuTScloud, permitting attackers to learn/write recordsdata in arbitrary file places.
  • CVE ID: CVE-2021-44053
  • CVSS rating: 5.7
  • Abstract: A cross-site scripting (XSS) vulnerability in QNAP gadgets working QTS, QuTS hero, and QuTScloud, resulting in code injection.
  • CVE ID: CVE-2021-44054
  • CVSS rating: 4.3
  • Abstract: An open redirect vulnerability in QNAP gadgets working QTS, QuTS hero, and QuTScloud, making it potential to redirect customers to rogue internet pages.
  • CVE ID: CVE-2021-44055
  • CVSS rating: 5.3
  • Abstract: A lacking authorization vulnerability in QNAP gadgets working Video Station, permitting attackers to entry information or carry out unauthorized actions.
  • CVE ID: CVE-2021-44056
  • CVSS rating: 7.1
  • Abstract: An improper authentication vulnerability in QNAP gadgets working Video Station, resulting in system compromise.
  • CVE ID: CVE-2021-44057
  • CVSS rating: 7.1
  • Abstract: An improper authentication vulnerability in QNAP gadgets working Picture Station, resulting in system compromise.
See also  Hackers Exploiting a Vital Vulnerability in Zyxel Firewall & VPN Gadgets

Whereas the advisory revealed by QNAP clearly states:-

“A vulnerability has been reported to have an effect on QNAP VS Collection NVR working QVR. If exploited, this vulnerability permits distant attackers to run arbitrary instructions.”

You possibly can observe us on Linkedin, TwitterFb for every day Cybersecurity and hacking information updates.