QNAP released patches for multiple vulnerabilities in its NAS devices, including a vulnerability for which proof-of-concept code was published last week.
The vulnerability tracked as CVE-2024-27130 is an unsafe “use of the ‘strcpy’ function in the No_Support_ACL function, which is utilized by the get_file_size request in the share.cgi script.” The script is used when a user shares files with external users, and successful exploitation of the vulnerability requires an attacker to obtain the ‘ssid’ parameter generated when the NAS user shares a file.
The leads to a stack buffer overflow and can be used for remote code execution. A POC code targeting devices with Address Space Layout Randomization mitigation disabled also released.
Since ASLR is enabled by default on all QNAP devices running QTS 4.x and 5.x, the successful exploitation of the bug is significantly more difficult.
QNAP resolved the flaw with the release of QTS 5.1.7.2770 build 20240520 and QuTS hero h5.1.7.2770 build 20240520.
