search menu icon-carat-right cmu-wordmark

CERT Coordination Center

QNAP QTS is vulnerable to a path traversal attack when used with the AFP protocol and OS X

Vulnerability Note VU#751328

Original Release Date: 2015-10-12 | Last Revised: 2015-10-13

Overview

QNAP QTS is a Network-Attached Storage (NAS) system. The QNAP QTS is vulnerable to a path traversal attack when used with the AFP protocol and OS X.

Description

CWE-23: Relative Path Traversal - CVE-2015-6003


When the Apple Filing Protocol (AFP) is enabled, any OS X user account (including the unauthenticated guest account) may be able to read and write arbitrary files on the QNAP QTS device.

According to documentation, AFP is disabled by default on the device, so only users specifically enabling this service are impacted.

According to the reporter, the TS-420 with firmware version prior to 4.1.4 Build 0910 is vulnerable. It is likely that all devices running firmware version 4.1.4 are affected; previous firmware versions may also be affected.

For more information, please see QNAP's security advisory.

Impact

An unauthenticated remote user may be able to read and write arbitrary files on the device.

Solution

Update the firmware

QNAP has released firmware version QTS 4.1.4 Build 0910 and QTS 4.2.0 Build 0910(RC2) to address this issue. Affected users are encouraged to update as soon as possible.

Vendor Information

751328
 
Affected   Unknown   Unaffected

QNAP

Notified:  August 28, 2015 Updated:  October 13, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 6.6 AV:L/AC:L/Au:N/C:C/I:C/A:N
Temporal 5.2 E:POC/RL:OF/RC:C
Environmental 3.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Marcin Ochab for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-6003
Date Public: 2015-10-12
Date First Published: 2015-10-12
Date Last Updated: 2015-10-13 19:43 UTC
Document Revision: 35

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.