QNAP Major Security Bug

By Sarit Williams, Published on Jun 10, 2013

QNAP, a manufacturer of Linux embedded NVRs and Network Attached Storage (NAS) solutions have ignored a colossal security bug. This article will delve into the sheer negligence and the high level of risk that has been transferred to their customers to bear unwillingly, in addition to discussing the vulnerabilities' ratings.

What Happened

Two test engineers employed by Daimler TSS, found several vulnerabilities with QNAP’s VioStor NVR firmware version 4.0.3 (and possibly earlier versions).

  • They hard coded a guest account that can be leveraged to create other administrator level accounts. This admin account would then give unlimited access to the NVR. Moreover, the guest account itself cannot be deactivated or modified so there's no way to shut down this violation.
  • By allowing admin level access, an attacker can simply modify any script. Even if the user is not a programmer, they could inadvertently insert a semi-colon changing the initial intent of the script all together creating havoc.
  • Once an attacker has hijacked a server, they can trick users (from the web application) into submitting sensitive data or unintentionally clicking on code the attacker wanted to spread.

These flaws are relatively simple to expose and potentially catastrophic to the NVR and anyone else attempting to use it.

Several failed attempts to contact QNAP personnel forced the software testers to report the liabilities to the Software Engineering Institute, CERT, in March of 2013 and then to other security outlets [link no longer available]hoping for a response.

QNAP Response

3 months after it was publicly disclosed QNAP finally responded with a patch to fix the vulnerability

Highest Risk Level

The National Vulnerability Database (NVD) rates these vulnerabilities at base score of 10 – their highest vulnerability on the Common Vulnerability Scoring System (CVSS).  The three violations: CWE-284, CWE-77, and CWE-352 manipulate the system’s security and full range of features via holes left in the NVR program.

The server where the commands are executed can open the door to identifying the Network, possibly exposing other servers and gateway applications. Furthermore, adding a ‘Submit’ button can modify the NVR’s interface, or simply change the link’s path on the backend and leave the User Interface (UI) of the application in its familiar view.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Here's a demo video of Cross Site Request Forgery:

And here's a more advanced video demonstration if you want more.

What It Means to You

Update any QNAP systems immediately. The attack is fairly simple and described on the Internet. Any attacker can attain complete control over the web application - deleting or stealing video, accessing live streams of cameras on the network, taking control over the software’s features such as PTZ thus affecting every day functionally and compromising not just data security, but halting the ability to secure the facilities’ employees and visitors as well.   

Linux Issue?

While this was an issue with a Linux appliance, this was not a fault of Linux. QNAP clearly made a very basic mistake in setting up their web server. 

The existence of CGI itself does not cause security susceptibility; it is simply a conduit to exploiting the system’s security via holes left in the program. Their Web Server integration exposes the Common Gateway Interface (CGI) directory. This server side protocol, resides on the server to store scripts and information required by the application to delegate web commands from the client to the server to process user actions; granted proper secure authentication is provided.

Conclusion

Software Companies are known to short-circuit testing schedules and deem testing as a money pit. In this case, it was ultimately a failure of architecture and design that introduced these issues by QNAP’s developers. One may say it was an oversight, which is clearly negated by their lack of response to the testers - and CERT thus impeding mitigation for several more months. Nevertheless, Design and architecture are the basic building blocks of any application and these fundamental flaws will require a redesign of the application as a whole to address these issues thoroughly.

We suggest closely monitoring their forum, dedicated to this specific security breach for the latest update.

 

UPDATE (7/22/2013):QNAP has released the following updates for each applicable version:

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions users are advised to upgrade to QNAP VioStor NVR system firmware version 4.0.3 build 6612.


QNAP NAS with the Surveillance Station Pro activated are advised to upgrade to QNAP Surveillance Station Pro to v3.0.2 or higher.

Comments (1) : Members only. Login. or Join.

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Beware Of Feevr on Apr 14, 2020
Beware of "Feevr". The company is marketing a 'Feevr' solution that...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Masks Cause Major Facial Recognition Problems on Feb 24, 2020
Coronavirus is spurring an increase in the use of medical masks, which new...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
WDR Cheat Sheet and Camera Tracking - 30 Manufacturers on Aug 26, 2020
Manufacturers are regularly cryptic about what WDR support they actually...

Recent Reports

Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic presented its i-PRO X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...
Watrix Gait Recognition Profile on Oct 16, 2020
Watrix is the world's only gait recognition surveillance provider IPVM has...
Intel Presents Edge-to-Cloud Ecosystem for Video Analytics on Oct 16, 2020
Intel presented its processors and software toolkit for computer vision at...
Microsoft Azure Presents Live Video Analytics on Oct 15, 2020
Microsoft Azure presented its Live Video Analytics offering at the September...
Worst Manufacturer Technical Support 2020 on Oct 15, 2020
4 manufacturers stood out as providing the worst technical support to ~200...
Clorox Announces, Then Pulls, Fever Camera on Oct 15, 2020
For almost one week, Clorox was marketing fever cameras. The booming...
Faulty Hikvision Fever Cam Setup at Mexico City Basilica and Cathedral on Oct 14, 2020
Donated Hikvision fever cameras (claiming screening of 1,800 people/min. with...
Directory of 211 "Fever" Camera Suppliers on Oct 14, 2020
This directory provides a list of "Fever" scanning thermal camera providers...