QNAP Zero-Days Leave 80K Devices Vulnerable to Cyberattack

Multiple QNAP operating systems are affected, including QTS, QuTS hero, QuTScloud, and QVP Pro appliances, and some don't yet have patches available.

Concept art of IoT
Source: Aleskey Funtap via Alamy Stock Photo

A pair of zero-day vulnerabilities in several Quality Network Appliance Provider (QNAP) operating systems (OS) for network-attached storage (NAS) appliances are impacting an estimated 80,000 devices worldwide. They remain unpatched for two of the four affected OSes.

QNAP provides gear and software for Internet of Things (IoT) storage, networking, and smart video. The OS bugs, discovered by researchers at Sternum, are memory access violations, which could cause unstable code and could provide a path for an authenticated cybercriminal to execute arbitrary code.

The vulnerabilities, tracked under CVE-2022-27597 and CVE-2022-27598, impact the QTS, QuTS hero, QuTScloud, and QVP OS, according to Sternum, and have been fixed in QTS version 5.0.1.2346 build 20230322 (and later) and QuTS hero version h5.0.1.2348 build 20230324 (and later). The QuTScloud and QVP OS remain unpatched, but QNAP said that it is "urgently fixing" the flaws.

A picture of a QNAP appliance

Sternum researchers explain the memory access violations affect the performance, as well as the security of the QNAP devices.

"From a performance point of view, they could lead to stability issues and unpredictable code behavior," Sternum's director of security of research Amit Serper says. "From a security perspective, they can be used for arbitrary code execution by a malicious threat actor."

The QNAP security advisory adds, "If exploited, the vulnerability allows remote authenticated users to get secret values."

While the bugs are rated "low severity," and so far, Sternum's researchers have not seen them exploited in the wild, getting a patch in place quickly matters — QNAP users continue to be a favorite target among cybercriminals.

Why Is QNAP Cyberattacker Catnip?

The DeadBolt ransomware group in particular was seen exploiting a range of zero-day vulnerabilities in a series of wide-rangingcybercampaigns against QNAP users in 2022 alone, surfacing regularly in May, June, and September.

DeadBolt is clearly dead set, as it were, on putting effort into finding — and exploiting — QNAP flaws, preferably critical zero-days, according to Mark Parkin, senior technical engineer with Vulcan Cyber.

"It's sometimes said that finding one vulnerability in a target will lead people into looking for more," Parkin explains. "The issue here is that they are finding more as they look. It almost makes you wonder if the attackers don't have access to the source code, or some other way to get an inside track."

Collusion suspicions aside, it's up to organizations to make sure their highly targeted QNAP systems are up to date, especially given that new bugs are coming to light with some frequency. In addition to the most recent findings from Sternum, in February, users of QNAP QTS OS were alerted to a critical SQL injection issue with a CVSS score of 9.8. The disclosures just widen the attack surface further.

In the case of the most recent vulnerabilities, users with systems without a patch available should employ a strong endpoint detection and response (EDR) solution and look for indicators of compromise. Because cyberattackers would need to be authenticated, doing an audit of who has access to vulnerable systems and providing additional authentication protection could also help mitigate an attack.

One researcher warns that even in cases where patches are available, truly locking down the appliances might require a shift in mindset for some companies. 

"QNAP devices are very attractive to cybercriminals whose strategy is to ask a large number of victims for a small amount of money," Bud Broomhead, CEO of Viakoo says. "Because QNAP devices, along with many other IoT devices, are largely managed outside of IT, they are often misconfigured, left unprotected by a firewalls, and left unpatched."

He adds, "These devices often are invisible to corporate IT and security teams and do not get audited or observed when they fall out of compliance, such as by being on out-of-date and insecure firmware."

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights