Tens of thousands of internet-connected QNAP devices were found to be carrying two severe vulnerabilities which could have allowed threat actors to execute arbitrary code.
Cybersecurity researchers from Sternum used their runtime protection benchmark product on QNAP TS-230 NAS device (opens in new tab), and as soon as the product was activated, it started alerting the researchers to “multiple memory access violations”.
“In this case, the reason for the alert was multiple out-of-bounds read and write requests, performed by several memcpy functions,” the researchers explained.
Out of bounds issues
Detailing their findings, the researchers said that in the source file api-cpp, the int iface_status2interface_status function contained a memcpy call with a constant size of 46, but as the source string content for the call was an IPv6 address (which can have 39 bytes max), this leads to a potential out-of-bounds (OOB) issue.
Furthermore, the NetworkInterface.cpp source file has the get_interface_slaac_info function with four memcpy calls with the copy size 46, which copies JSON values from buffers returned by Json::Value::asCString. The string buffers were often shorter than 46, the researcher said, which causes potential OOB issues in all four memcpy calls.
After notifying QNAP of their findings, the company acknowledged the issues and released two CVEs: CVE-2022-27597, and CVE-2022-27598. These show that the flaws affected four operating systems: QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances). The severity scores for these two vulnerabilities have not yet been assigned.
By conservative estimate, Sternum says, more than 80,000 connected devices worldwide are affected by these two zero-day vulnerabilities.
The patch that QNAP released already fixed the flaws in QTS 126.96.36.1996 build 20230322 (and later), and QuTS hero h188.8.131.528 build 20230324 (and later).