QNAP Major Security Bug

By: Sarit Williams, Published on Jun 10, 2013

QNAP, a manufacturer of Linux embedded NVRs and Network Attached Storage (NAS) solutions have ignored a colossal security bug. This article will delve into the sheer negligence and the high level of risk that has been transferred to their customers to bear unwillingly, in addition to discussing the vulnerabilities' ratings.

What Happened

Two test engineers employed by Daimler TSS, found several vulnerabilities with QNAP’s VioStor NVR firmware version 4.0.3 (and possibly earlier versions).

  • They hard coded a guest account that can be leveraged to create other administrator level accounts. This admin account would then give unlimited access to the NVR. Moreover, the guest account itself cannot be deactivated or modified so there's no way to shut down this violation.
  • By allowing admin level access, an attacker can simply modify any script. Even if the user is not a programmer, they could inadvertently insert a semi-colon changing the initial intent of the script all together creating havoc.
  • Once an attacker has hijacked a server, they can trick users (from the web application) into submitting sensitive data or unintentionally clicking on code the attacker wanted to spread.

These flaws are relatively simple to expose and potentially catastrophic to the NVR and anyone else attempting to use it.

Several failed attempts to contact QNAP personnel forced the software testers to report the liabilities to the Software Engineering Institute, CERT, in March of 2013 and then to other security outlets [link no longer available]hoping for a response.

QNAP Response

3 months after it was publicly disclosed QNAP finally responded with a patch to fix the vulnerability

Highest Risk Level

The National Vulnerability Database (NVD) rates these vulnerabilities at base score of 10 – their highest vulnerability on the Common Vulnerability Scoring System (CVSS).  The three violations: CWE-284, CWE-77, and CWE-352 manipulate the system’s security and full range of features via holes left in the NVR program.

The server where the commands are executed can open the door to identifying the Network, possibly exposing other servers and gateway applications. Furthermore, adding a ‘Submit’ button can modify the NVR’s interface, or simply change the link’s path on the backend and leave the User Interface (UI) of the application in its familiar view.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Here's a demo video of Cross Site Request Forgery:

And here's a more advanced video demonstration if you want more.

What It Means to You

Update any QNAP systems immediately. The attack is fairly simple and described on the Internet. Any attacker can attain complete control over the web application - deleting or stealing video, accessing live streams of cameras on the network, taking control over the software’s features such as PTZ thus affecting every day functionally and compromising not just data security, but halting the ability to secure the facilities’ employees and visitors as well.   

Linux Issue?

While this was an issue with a Linux appliance, this was not a fault of Linux. QNAP clearly made a very basic mistake in setting up their web server. 

The existence of CGI itself does not cause security susceptibility; it is simply a conduit to exploiting the system’s security via holes left in the program. Their Web Server integration exposes the Common Gateway Interface (CGI) directory. This server side protocol, resides on the server to store scripts and information required by the application to delegate web commands from the client to the server to process user actions; granted proper secure authentication is provided.

Conclusion

Software Companies are known to short-circuit testing schedules and deem testing as a money pit. In this case, it was ultimately a failure of architecture and design that introduced these issues by QNAP’s developers. One may say it was an oversight, which is clearly negated by their lack of response to the testers - and CERT thus impeding mitigation for several more months. Nevertheless, Design and architecture are the basic building blocks of any application and these fundamental flaws will require a redesign of the application as a whole to address these issues thoroughly.

We suggest closely monitoring their forum, dedicated to this specific security breach for the latest update.

 

UPDATE (7/22/2013):QNAP has released the following updates for each applicable version:

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions users are advised to upgrade to QNAP VioStor NVR system firmware version 4.0.3 build 6612.


QNAP NAS with the Surveillance Station Pro activated are advised to upgrade to QNAP Surveillance Station Pro to v3.0.2 or higher.

Comments (1) : Members only. Login. or Join.

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Beware Of Feevr on Apr 14, 2020
Beware of "Feevr". The company is marketing a 'Feevr' solution that...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Sunell Panda Cam Body Temperature Measurement Camera Tested on May 14, 2020
Sunell is far less well known than its gargantuan domestic competitors Dahua...
Access Visitor Management Systems Guide on Jul 22, 2020
"Who are you, and why are you here?" Facilities that implement Visitor...
Delayed Egress Access Control Tutorial on Feb 04, 2020
Delayed Egress marks one of the few times locking people into a building is...

Recent Reports

Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Telpo China Temperature Tablets Tested on Aug 10, 2020
The provider for overseas companies ranging from Canon Singapore to US'...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...