QNAP fixes critical QVR remote command execution vulnerability

QNAP has released several security advisories today, one of them for a critical security issue that allows remote execution of arbitrary commands on vulnerable QVR systems, the company’s video surveillance solution hosted on a NAS device.

The QVR IP video surveillance system supports multiple feed channels and cross-platform video decoding and it is designed for monitoring both home and office environments.

The vulnerability is tracked as CVE-2022-27588 and has a critical severity score of 9.8. It impacts QVR versions older than 5.1.6 build 20220401.

QNAP’s  advisory explains that the “vulnerability has been reported to affect QNAP VS Series NVR running QVR. If exploited, this vulnerability allows remote attackers to run arbitrary commands.”

This type of security flaw allows a threat actor to execute commands on the target to change settings, access sensitive information, or take control of the device. Depending on the context, it could also be used to get deeper in the network.

As we have seen in the past, critical vulnerabilities in QNAP systems are leveraged almost immediately in cyberattacks when an exploit becomes publicly available.

BleepingComputer has reached out to QNAP to request information on whether CVE-2022-27588 is actively exploited and we will update the article with the company’s response.

Multiple QNAP fixes

Apart from the critical issue in QVR, QNAP also addressed eight vulnerabilities in other products, with severity ratings between medium and high.

Here is the complete list of the fixes:

  • CVE-2022-27588: Critical-severity RCE in QNAP QVR
  • CVE-2021-38693: Medium-severity path traversal vulnerability in thttpd, affecting QTS, QuTS hero, and QuTScloud.
  • CVE-2021-44055: Medium severity flaw allowing remote access of data in some Video Station versions.
  • CVE-2021-44056: Medium severity flaw allowing remote access of data in some Video Station versions.
  • CVE-2021-44057: High-severity vulnerability in QNAP NAS running Photo Station.
  • CVE-2021-44051: High-severity command injection flaw that allows arbitrary remote command execution in QTS, QuTS hero, and QuTScloud.
  • CVE-2021-44052: High-severity link resolution flaw that allows malicious file actions in QTS, QuTS hero, and QuTScloud.
  • CVE-2021-44053: High-severity cross-site scripting (XSS) flaw that allows remote code injection in QTS, QuTS hero, and QuTScloud.
  • CVE-2021-44054: High-severity open-redirect vulnerability that allows user redirection to a malware-laced page in QTS, QuTS hero, and QuTScloud.

For more information on the impacted versions and those that incorporate the security updates, click on the corresponding CVE numbers above.

At this time, QNAP has not provided mitigation guidance, so the recommended action is to update your software to the latest available version.

Source: www.bleepingcomputer.com