search menu icon-carat-right cmu-wordmark

CERT Coordination Center


QNAP VioStor NVR firmware version 4.0.3 and QNAP NAS multiple vulnerabilities

Vulnerability Note VU#927644

Original Release Date: 2013-06-05 | Last Revised: 2014-07-30

Overview

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS contains multiple vulnerabilities which may allow an attacker to perform administrative functions against the hosted server.

Description

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains multiple vulnerabilities which may allow an attacker to perform administrative functions against the hosted server.

CWE-284: Improper Access Control CVE-2013-0142
VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains a hardcoded guest account and password which can be leveraged to login to the webserver. It has been reported that it is not possible to view or administer the guest account using the web interface.

CWE-77: Improper Neutralization of Special Elements used in a Command CVE-2013-0143
VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains scripts which could allow any user e.g. guest users to execute scripts which run with administrative privileges. It is possible to execute code on the webserver using the ping function.
Example: http://[server-ip]/cgi-bin/pingping.cgi?ping_ip=1;whoami

CWE-352: Cross-Site Request Forgery (CSRF). CVE-2013-0144
VioStor NVR firmware version 4.0.3 and possibly earlier versions contains a cross-site request forgery vulnerability could allow an attacker to add a new administrative account to the server by tricking an administrator to click on a malicious link while they are currently logged into the webserver.
Example: http://[server-ip]/cgi-bin/create_user.cgi?OK=&function=USER&subfun=NEW&USERNAME=&NAME=attacker&PASSWD=12345&VERIFY=12345&create_user_list=admin&PTZ1=on&Audio1=on&PTZ2=on&Audio2=on&PTZ3=on&Audio3=on&PTZ4=on&Audio4=on

The CVSS scores below apply to CVE-2013-0143.

Impact

An authenticated (via known credentials or hardcoded guest account) attacker may be able to execute arbitrary commands or add administrative accounts to the server.

Solution

Update
QNAP has released firmware updates to address these vulnerabilities:

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions users are advised to upgrade to QNAP VioStor NVR system firmware version 4.0.3 build 6612.
QNAP NAS with the Surveillance Station Pro activated are advised to upgrade to QNAP Surveillance Station Pro to v3.0.2 or higher.

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from connecting to the service from a blocked network location.

Vendor Information

927644
Expand all

QNAP Security

Updated:  June 17, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.qnap.com/en/index.php?lang=en&sn=845&c=2699&sc=&n=18922 http://www.qnap.com/en/index.php?lang=en&sn=845&c=2699&sc=&n=18925

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.7 E:U/RL:ND/RC:UC
Environmental 1.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Tim Herres and David Elze of Daimler TSS for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2013-0142, CVE-2013-0143, CVE-2013-0144
Date Public: 2013-06-05
Date First Published: 2013-06-05
Date Last Updated: 2014-07-30 16:28 UTC
Document Revision: 33

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.