Buffer Copy Vulnerability Affects QNAP Operating System Versions

Summary

The vulnerabilities affecting QNAP operating system versions include an incorrect permission assignment for critical resource, a double free vulnerability, and a set of buffer overflow vulnerabilities. These could all be exploited by authenticated users to execute arbitrary code via a network. The CVE-2024-27130 vulnerability, in particular, is caused by the unsafe use of the 'strcpy' function in the No_Support_ACL function, and can be exploited when sharing media with external users by an attacker with a valid 'ssid' parameter. However, exploitation is made difficult by Address Space Layout Randomization (ASLR) in QTS 4.x and 5.x versions. Meanwhile, researchers have discovered 15 vulnerabilities in QNAP’s network attached storage (NAS) devices, and have released a proof-of-concept for one unauthenticated stack overflow vulnerability (CVE-2024-27130) that may be leveraged for remote code execution. NAS users are recommended to update to the latest versions of QTS and QuTS hero as soon as possible to mitigate potential threats.

News Articles

The Hacker News

CVE-2024-27130

QNAP Patches New Flaws in QTS and QuTS hero Impacting NAS Appliances

QNAP releases fixes for medium-severity flaws in QTS and QuTS hero NAS appliances.

6 months ago

Help Net Security

CVE-2024-27130

15 QNAP NAS bugs and one PoC disclosed, update ASAP! (CVE-2024-27130) - Help Net Security

Researchers have found 15 vulnerabilities in QNAP's NAS devices and have released a PoC for one (CVE-2024-27130).

6 months ago

GBHackers on Security

CVE-2024-27130

PoC Exploit Released for QNAP QTS zero-day RCE Flaw

Researchers have shown a proof-of-concept (PoC) attack for a zero-day remote code execution (RCE) flaw in the QTS operating system from QNAP.

6 months ago

More News...