Vulnerability Note VU#927644

QNAP VioStor NVR firmware version 4.0.3 and QNAP NAS multiple vulnerabilities

Original Release date: 05 Jun 2013 | Last revised: 02 Jul 2013

Overview

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS contains multiple vulnerabilities which may allow an attacker to perform administrative functions against the hosted server.

Description

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains multiple vulnerabilities which may allow an attacker to perform administrative functions against the hosted server.

CWE-284: Improper Access Control CVE-2013-0142
VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains a hardcoded guest account and password which can be leveraged to login to the webserver. It has been reported that it is not possible to view or administer the guest account using the web interface.

CWE-77: Improper Neutralization of Special Elements used in a Command CVE-2013-0143
VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains scripts which could allow any user e.g. guest users to execute scripts which run with administrative privileges. It is possible to execute code on the webserver using the ping function.
Example: http://[server-ip]/cgi-bin/pingping.cgi?ping_ip=1;whoami

CWE-352: Cross-Site Request Forgery (CSRF). CVE-2013-0144
VioStor NVR firmware version 4.0.3 and possibly earlier versions contains a cross-site request forgery vulnerability could allow an attacker to add a new administrative account to the server by tricking an administrator to click on a malicious link while they are currently logged into the webserver.
Example: http://[server-ip]/cgi-bin/create_user.cgi?OK=&function=USER&subfun=NEW&USERNAME=&NAME=attacker&PASSWD=12345&VERIFY=12345&create_user_list=admin&PTZ1=on&Audio1=on&PTZ2=on&Audio2=on&PTZ3=on&Audio3=on&PTZ4=on&Audio4=on

Impact

An authenticated (via known credentials or hardcoded guest account) attacker may be able to execute arbitrary commands or add administrative accounts to the server.

Solution

Update

QNAP has released firmware updates to address these vulnerabilities:

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions users are advised to upgrade to QNAP VioStor NVR system firmware version 4.0.3 build 6612.
QNAP NAS with the Surveillance Station Pro activated are advised to upgrade to QNAP Surveillance Station Pro to v3.0.2 or higher.

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from connecting to the service from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
QNAP SecurityAffected-17 Jun 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.7 E:U/RL:U/RC:UC
Environmental 2.0 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Tim Herres and David Elze of Daimler TSS for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.