Vulnerability Note VU#927644
QNAP VioStor NVR firmware version 4.0.3 and QNAP NAS multiple vulnerabilities
QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS contains multiple vulnerabilities which may allow an attacker to perform administrative functions against the hosted server.
QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains multiple vulnerabilities which may allow an attacker to perform administrative functions against the hosted server.
CWE-284: Improper Access Control CVE-2013-0142
An authenticated (via known credentials or hardcoded guest account) attacker may be able to execute arbitrary commands or add administrative accounts to the server.
QNAP has released firmware updates to address these vulnerabilities:
Restrict Network Access
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|QNAP Security||Affected||-||17 Jun 2013|
CVSS Metrics (Learn More)
Thanks to Tim Herres and David Elze of Daimler TSS for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: CVE-2013-0142 CVE-2013-0143 CVE-2013-0144
- Date Public: 05 Jun 2013
- Date First Published: 05 Jun 2013
- Date Last Updated: 02 Jul 2013
- Document Revision: 29
If you have feedback, comments, or additional information about this vulnerability, please send us email.