Skip to main content

The Network Attached Storage (NAS) devices manufacturer giant QNAP published an advisory on 30th June 2023 in which QNAP announced a critical code injection vulnerability in QNAP NAS devices. The vulnerability tracked under this identifier CVE-2022-27596 is a Critical severity vulnerability with a CVSS score of 9.8 out of 10. Technical details behind the flaw are not confirmed yet. Since this flaw allows an attacker to carry out remote code execution attacks just by sending crafted SQL queries, it is most important to fix the CVE-2022-27596 vulnerability. Let’s see how to fix CVE-2022-27596, a Code Injection vulnerability in QNAP NAS devices that lead to an RCE attack.

A Short Introduction About QNAP NAS

QNAP NAS, a familiar name in the world of network-attached storage, is the go-to choice for those seeking dependability and versatility. Whether you’re a home user seeking to store precious memories or a business owner looking for robust storage solutions, QNAP has got you covered. Boasting a diverse lineup of models, from basic to top-of-the-line, QNAP offers options to meet every need. But that’s not all. This storage giant also supports a multitude of protocols, making it a flexible and efficient storage solution for a variety of use cases – personal and professional alike.

QTS 5.x and QuTS hero h5..x:

Step into the future of data management with QTS 5.x- the cutting-edge operating system from QNAP Systems Inc. Designed for their NAS devices, QTS 5.x boasts a user-friendly interface and a vast array of applications to aid in the management, protection, and sharing of digital assets. This futuristic operating system packs in advanced features such as virtualization, containerization, and disaster recovery – ensuring data security and a seamless storage experience for all users.

For businesses seeking maximum value from their data, there’s QuTS hero h5.x – a high-performance version of QTS 5.x optimized for the QuTS hero series NAS devices. This powerhouse OS combines the best of QTS 5.x with innovative hardware and a unique data management architecture, delivering exceptional performance, reliability, and scalability. QuTS hero h5.x comes equipped with advanced storage features, including storage pooling, data backup and recovery, and disaster recovery solutions, making it the ultimate choice for businesses that demand the very best in data management solutions.

Summary of CVE-2022-27596

This is a critical severity Code Injection vulnerability in QNAP NAS operating systems which as got a CVSS score of 9.8 out of 10 on the scale. The successful exploitation of this code injection vulnerability would allow a remote attacker to perform arbitrary code execution attacks. As per the advisory published by QNAP, this flaw could be exploitable just by sending crafted SQL queries. Attackers could abuse this vulnerability to bypass security controls, unauthorized access or sometimes alter valuable information on the vulnerable versions of QNAP NAS operating systems. 

Associated CVE IDCVE-2019-27596
DescriptionA Code Injection Vulnerability in QNAP NAS Devices that Lead to RCE Attack
Associated ZDI ID
CVSS Score9.8 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score5.9
Exploitability Score3.9
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

QNAP NAS OS Vulnerable to CVE-2022-27596:

This flaw affects all the QNAP devices runs on QTS 5.0.1 and QuTS hero h5.0.1.

  • QTS 5.0.1
  • QuTS hero h5.0.1.

See Also Protect Your Apple Devices From The Three 0-Day WebKit Vulnerabilities in iOS, iPadOS, macOS. tvOS, watchOS, and Safari Web Browser

How to Fix  CVE-2022-27596- A Code Injection Vulnerability in QNAP NAS Devices That Lead to RCE Attack?

Well, the vendor has released the patch to fix the CVE-2022-27596, a critical Code Injection vulnerability. Please upgrade your QNAP OS to these fixed versions. We always recommend regular upgrades and keeping your device to the latest version.

  • QTS 5.0.1.2234 build 20221201 and later
  • QuTS hero h5.0.1.2248 build 20221215 and later

Follow This Procedure To upgrade QNAP NAS QTS, QuTS Hero, OR QuTScloud From The Console:

  1. Log on to QTS, QuTS hero, or QuTScloud as administrator.
  2. Go to Control Panel > System Firmware Update.
  3. Under Live Update, click Check for Update

QTS, QuTS hero, or QuTScloud downloads and installs the latest available update by themselves.

Or

Follow this procedure to upgrade QNAP from the software center:

  1. Go to Support > Download Center to download the update from the QNAP website.
  2. Perform a manual update for your specific device.

This simple procedure completes the upgradation procedure.

Leave a Reply