QNAP Major Security BugBy Sarit Williams, Published on Jun 10, 2013
QNAP, a manufacturer of Linux embedded NVRs and Network Attached Storage (NAS) solutions have ignored a colossal security bug. This article will delve into the sheer negligence and the high level of risk that has been transferred to their customers to bear unwillingly, in addition to discussing the vulnerabilities' ratings.
- They hard coded a guest account that can be leveraged to create other administrator level accounts. This admin account would then give unlimited access to the NVR. Moreover, the guest account itself cannot be deactivated or modified so there's no way to shut down this violation.
- By allowing admin level access, an attacker can simply modify any script. Even if the user is not a programmer, they could inadvertently insert a semi-colon changing the initial intent of the script all together creating havoc.
- Once an attacker has hijacked a server, they can trick users (from the web application) into submitting sensitive data or unintentionally clicking on code the attacker wanted to spread.
These flaws are relatively simple to expose and potentially catastrophic to the NVR and anyone else attempting to use it.
Several failed attempts to contact QNAP personnel forced the software testers to report the liabilities to the Software Engineering Institute, CERT, in March of 2013 and then to other security outlets [link no longer available]hoping for a response.
3 months after it was publicly disclosed QNAP finally responded with a patch to fix the vulnerability.
Highest Risk Level
The National Vulnerability Database (NVD) rates these vulnerabilities at base score of 10 – their highest vulnerability on the Common Vulnerability Scoring System (CVSS). The three violations: CWE-284, CWE-77, and CWE-352 manipulate the system’s security and full range of features via holes left in the NVR program.
The server where the commands are executed can open the door to identifying the Network, possibly exposing other servers and gateway applications. Furthermore, adding a ‘Submit’ button can modify the NVR’s interface, or simply change the link’s path on the backend and leave the User Interface (UI) of the application in its familiar view.
Here's a demo video of Cross Site Request Forgery:
And here's a more advanced video demonstration if you want more.
What It Means to You
Update any QNAP systems immediately. The attack is fairly simple and described on the Internet. Any attacker can attain complete control over the web application - deleting or stealing video, accessing live streams of cameras on the network, taking control over the software’s features such as PTZ thus affecting every day functionally and compromising not just data security, but halting the ability to secure the facilities’ employees and visitors as well.
While this was an issue with a Linux appliance, this was not a fault of Linux. QNAP clearly made a very basic mistake in setting up their web server.
The existence of CGI itself does not cause security susceptibility; it is simply a conduit to exploiting the system’s security via holes left in the program. Their Web Server integration exposes the Common Gateway Interface (CGI) directory. This server side protocol, resides on the server to store scripts and information required by the application to delegate web commands from the client to the server to process user actions; granted proper secure authentication is provided.
Software Companies are known to short-circuit testing schedules and deem testing as a money pit. In this case, it was ultimately a failure of architecture and design that introduced these issues by QNAP’s developers. One may say it was an oversight, which is clearly negated by their lack of response to the testers - and CERT thus impeding mitigation for several more months. Nevertheless, Design and architecture are the basic building blocks of any application and these fundamental flaws will require a redesign of the application as a whole to address these issues thoroughly.
We suggest closely monitoring their forum, dedicated to this specific security breach for the latest update.
UPDATE (7/22/2013):QNAP has released the following updates for each applicable version: