QNAP, a Taiwanese NAS manufacturer, has issued security updates for numerous vulnerabilities that might allow attackers to remotely inject and execute malicious code and commands on susceptible NAS systems. File sharing, virtualization, storage management, and surveillance applications all employ network-attached storage (NAS) appliances. The headquarters of QNAP is located in the Xizhi District of New Taipei City, Taiwan. QNAP began as a department of the IEI Integration Corporation, a Taiwan-based industrial computer services provider.
Three high-severity stored cross-site scripting (XSS) vulnerabilities (recorded as CVE-2021-34354, CVE-2021-34356, and CVE-2021-34355) affect devices running unpatched Photo Station software (releases before 5.4.10, 5.7.13, or 6.0.18), according to QNAP.
In addition, QNAP fixed a stored XSS Image2PDF problem that affected devices running software versions prior to Image2PDF 2.1.5. Threat actors can use stored XSS attacks to inject malicious code remotely and store it on the targeted servers indefinitely after successful exploitation.
Stored attacks are ones in which the injected script is kept on the target servers indefinitely, such as in a database, a chat forum, a visitor log, a comment field, and so on. When the victim requests information from the server, the malicious script is downloaded.
A command injection bug (CVE-2021-34352) affecting some QNAP end-of-life (EOL) devices running the QVR IP video surveillance software was also fixed, allowing attackers to run arbitrary operations. Successful attacks leveraging the CVE-2021-34352 bug could result in NAS devices being completely taken over.
In April, QNAP NAS operating systems QTS and QuTS Hero were patched for a command injection vulnerability (CVE-2020-2509). The other critical flaw (CVE-2020-36195), which affected any QNAP NAS devices running Multimedia Console or the Media Streaming add-on, was also patched in the same batch of firmware upgrades.
“Both vulnerabilities are simple to exploit if you know the exact technical details,” said Yaniv Puyeski, a security researcher of SAM Seamless Network.
The significant, pre-authenticated flaws, which require only network access to the susceptible services, highlight an insecure, all-too-common way of using the devices, according to Puyeski. “Unfortunately, a lot of QNAP owners expose their device to the internet through port forwarding which puts them at very high risk to be hacked,” he explained.