QNAP Major Security Bug

By: Sarit Williams, Published on Jun 10, 2013

QNAP, a manufacturer of Linux embedded NVRs and Network Attached Storage (NAS) solutions have ignored a colossal security bug. This article will delve into the sheer negligence and the high level of risk that has been transferred to their customers to bear unwillingly, in addition to discussing the vulnerabilities' ratings.

What Happened

Two test engineers employed by Daimler TSS, found several vulnerabilities with QNAP’s VioStor NVR firmware version 4.0.3 (and possibly earlier versions).

  • They hard coded a guest account that can be leveraged to create other administrator level accounts. This admin account would then give unlimited access to the NVR. Moreover, the guest account itself cannot be deactivated or modified so there's no way to shut down this violation.
  • By allowing admin level access, an attacker can simply modify any script. Even if the user is not a programmer, they could inadvertently insert a semi-colon changing the initial intent of the script all together creating havoc.
  • Once an attacker has hijacked a server, they can trick users (from the web application) into submitting sensitive data or unintentionally clicking on code the attacker wanted to spread.

These flaws are relatively simple to expose and potentially catastrophic to the NVR and anyone else attempting to use it.

Several failed attempts to contact QNAP personnel forced the software testers to report the liabilities to the Software Engineering Institute, CERT, in March of 2013 and then to other security outlets hoping for a response.

QNAP Response

3 months after it was publicly disclosed QNAP finally responded with a patch to fix the vulnerability

Highest Risk Level

The National Vulnerability Database (NVD) rates these vulnerabilities at base score of 10 – their highest vulnerability on the Common Vulnerability Scoring System (CVSS).  The three violations: CWE-284, CWE-77, and CWE-352 manipulate the system’s security and full range of features via holes left in the NVR program.

The server where the commands are executed can open the door to identifying the Network, possibly exposing other servers and gateway applications. Furthermore, adding a ‘Submit’ button can modify the NVR’s interface, or simply change the link’s path on the backend and leave the User Interface (UI) of the application in its familiar view.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Here's a demo video of Cross Site Request Forgery:

And here's a more advanced video demonstration if you want more.

What It Means to You

Update any QNAP systems immediately. The attack is fairly simple and described on the Internet. Any attacker can attain complete control over the web application - deleting or stealing video, accessing live streams of cameras on the network, taking control over the software’s features such as PTZ thus affecting every day functionally and compromising not just data security, but halting the ability to secure the facilities’ employees and visitors as well.   

Linux Issue?

While this was an issue with a Linux appliance, this was not a fault of Linux. QNAP clearly made a very basic mistake in setting up their web server. 

The existence of CGI itself does not cause security susceptibility; it is simply a conduit to exploiting the system’s security via holes left in the program. Their Web Server integration exposes the Common Gateway Interface (CGI) directory. This server side protocol, resides on the server to store scripts and information required by the application to delegate web commands from the client to the server to process user actions; granted proper secure authentication is provided.

Conclusion

Software Companies are known to short-circuit testing schedules and deem testing as a money pit. In this case, it was ultimately a failure of architecture and design that introduced these issues by QNAP’s developers. One may say it was an oversight, which is clearly negated by their lack of response to the testers - and CERT thus impeding mitigation for several more months. Nevertheless, Design and architecture are the basic building blocks of any application and these fundamental flaws will require a redesign of the application as a whole to address these issues thoroughly.

We suggest closely monitoring their forum, dedicated to this specific security breach for the latest update.

 

UPDATE (7/22/2013):QNAP has released the following updates for each applicable version:

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions users are advised to upgrade to QNAP VioStor NVR system firmware version 4.0.3 build 6612.


QNAP NAS with the Surveillance Station Pro activated are advised to upgrade to QNAP Surveillance Station Pro to v3.0.2 or higher.

Comments (1) : PRO Members only. Login. or Join.

Most Recent Industry Reports

HD Analog vs IP Guide on Jul 16, 2019
For years, HD resolution and single cable signal/power were IP camera advantages, with analog cameras limited to much lower resolution and...
How To Troubleshoot Wiegand Reader Problems - Inverted Wiring on Jul 16, 2019
Wiegand is the dominant method of connecting access readers, but problems can arise for installers. In fact, one of the most difficult reader...
ZeroEyes Gun Detection Startup on Jul 16, 2019
A gun detection video analytics startup, ZeroEyes, is being led by a group of 6 former Navy SEALs, aiming to "save lives" by using AI to assist...
Motorola Acquires Watchguard, Adds to Vigilant And Avigilon on Jul 15, 2019
2 years ago, Motorola had no position nor relevancy to video surveillance. Now, they own major video surveillance, LPR and body camera providers...
Hikvision Global News Reports Directory on Jul 15, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 15, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
Beware African 50,000 IP Camera Contract Scam on Jul 12, 2019
A “Nigerian Prince” scam for the video surveillance market is going around. You, or at least we, could be lucky enough to be the single bidder for...
Axis ARTPEC-7 P1375-E Camera Tested on Jul 12, 2019
Axis claims the new P1375-E box camera with ARTPEC-7 chip delivers "clear, sharp images in any lighting condition." But how well does it do? We...
Last Chance - Camera Course Summer 2019 on Jul 11, 2019
Last day to register is Thursday, July 11, 2019. This is the only independent surveillance camera course, based on in-depth product and technology...
Nortek Blue Pass Mobile Access Reader Tested on Jul 11, 2019
Nortek claims BluePass mobile readers are a 'more secure and easy to use approach to access', but our testing uncovered security problems and...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact