QNAP Major Security Bug

By: Sarit Williams, Published on Jun 10, 2013

QNAP, a manufacturer of Linux embedded NVRs and Network Attached Storage (NAS) solutions have ignored a colossal security bug. This article will delve into the sheer negligence and the high level of risk that has been transferred to their customers to bear unwillingly, in addition to discussing the vulnerabilities' ratings.

What Happened

Two test engineers employed by Daimler TSS, found several vulnerabilities with QNAP’s VioStor NVR firmware version 4.0.3 (and possibly earlier versions).

  • They hard coded a guest account that can be leveraged to create other administrator level accounts. This admin account would then give unlimited access to the NVR. Moreover, the guest account itself cannot be deactivated or modified so there's no way to shut down this violation.
  • By allowing admin level access, an attacker can simply modify any script. Even if the user is not a programmer, they could inadvertently insert a semi-colon changing the initial intent of the script all together creating havoc.
  • Once an attacker has hijacked a server, they can trick users (from the web application) into submitting sensitive data or unintentionally clicking on code the attacker wanted to spread.

These flaws are relatively simple to expose and potentially catastrophic to the NVR and anyone else attempting to use it.

Several failed attempts to contact QNAP personnel forced the software testers to report the liabilities to the Software Engineering Institute, CERT, in March of 2013 and then to other security outlets hoping for a response.

QNAP Response

3 months after it was publicly disclosed QNAP finally responded with a patch to fix the vulnerability

Highest Risk Level

The National Vulnerability Database (NVD) rates these vulnerabilities at base score of 10 – their highest vulnerability on the Common Vulnerability Scoring System (CVSS).  The three violations: CWE-284, CWE-77, and CWE-352 manipulate the system’s security and full range of features via holes left in the NVR program.

The server where the commands are executed can open the door to identifying the Network, possibly exposing other servers and gateway applications. Furthermore, adding a ‘Submit’ button can modify the NVR’s interface, or simply change the link’s path on the backend and leave the User Interface (UI) of the application in its familiar view.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Here's a demo video of Cross Site Request Forgery:

And here's a more advanced video demonstration if you want more.

What It Means to You

Update any QNAP systems immediately. The attack is fairly simple and described on the Internet. Any attacker can attain complete control over the web application - deleting or stealing video, accessing live streams of cameras on the network, taking control over the software’s features such as PTZ thus affecting every day functionally and compromising not just data security, but halting the ability to secure the facilities’ employees and visitors as well.   

Linux Issue?

While this was an issue with a Linux appliance, this was not a fault of Linux. QNAP clearly made a very basic mistake in setting up their web server. 

The existence of CGI itself does not cause security susceptibility; it is simply a conduit to exploiting the system’s security via holes left in the program. Their Web Server integration exposes the Common Gateway Interface (CGI) directory. This server side protocol, resides on the server to store scripts and information required by the application to delegate web commands from the client to the server to process user actions; granted proper secure authentication is provided.

Conclusion

Software Companies are known to short-circuit testing schedules and deem testing as a money pit. In this case, it was ultimately a failure of architecture and design that introduced these issues by QNAP’s developers. One may say it was an oversight, which is clearly negated by their lack of response to the testers - and CERT thus impeding mitigation for several more months. Nevertheless, Design and architecture are the basic building blocks of any application and these fundamental flaws will require a redesign of the application as a whole to address these issues thoroughly.

We suggest closely monitoring their forum, dedicated to this specific security breach for the latest update.

 

UPDATE (7/22/2013):QNAP has released the following updates for each applicable version:

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions users are advised to upgrade to QNAP VioStor NVR system firmware version 4.0.3 build 6612.


QNAP NAS with the Surveillance Station Pro activated are advised to upgrade to QNAP Surveillance Station Pro to v3.0.2 or higher.

Comments (1) : PRO Members only. Login. or Join.

Most Recent Industry Reports

US Army Base To Buy Banned Honeywell Surveillance on Sep 17, 2019
The U.S. Army's Fort Gordon, home to their Cyber Center of Excellence, has issued a solicitation to purchase Honeywell products that are US...
Vivotek "Neural Network-Powered Detection Engine" Analytics Tested on Sep 17, 2019
Vivotek has released "a neural network-powered detection engine", named Smart Motion Detection, claiming that "swaying vegetation, vehicles passing...
Schmode is Back, Aims To Turn Boulder AI Into Giant on Sep 16, 2019
One of the most influential and controversial executives in the past decade is back. Bryan Schmode ascended and drove the hypergrowth of Avigilon...
Manufacturers Unhappy With Weak ASIS GSX 2019 And 2020 Shift on Sep 16, 2019
Manufacturers were generally unhappy with ASIS GSX, both for weak 2019 booth traffic and a scheduling shift for the 2020 show, according to a new...
How Cobalt Robotics May Disrupt Security on Sep 13, 2019
While security robots have largely become a joke over the last few years, one organization, Cobalt Robotics, has raised $50+ million from top US...
Panasonic 4K Camera Tested (WV-S2570L) on Sep 13, 2019
Panasonic has released their latest generation 4K dome, the WV-S2570L, claiming "Extreme image quality allows evidence to be captured even under...
ASIS GSX 2019 Final Show Report on Sep 12, 2019
IPVM went to Chicago for ASIS GSX 2019, with many exhibitors disappointed about traffic and the exhibitor schedule changing next year. However,...
Installation Course - Last Chance - Register Now on Sep 12, 2019
Last Chance - Register Now - September 2019 Video Surveillance Install Course. Thursday, September 12th is your last chance to register for the...
Commend ID5 Intercom Tested on Sep 12, 2019
Commend touts the new ID5 intercom as 'timelessly elegant' and the slim body, glass front touchscreen indeed looks better than common, but ugly,...
US State Department: "Chinese Tech Giants" "Tools of the Chinese Communist Party" on Sep 12, 2019
The US State Department has called out "Chinese tech giants" for being "tools of the Chinese Communist Party" in a blunt new speech that makes...