A comprehensive security audit of QNAP QTS, the operating system for QNAP NAS products, has identified fifteen vulnerabilities, with eleven still unresolved. The most severe of these, CVE-2024-27130, is an unpatched stack buffer overflow in the ‘No_Support_ACL’ function within ‘share.cgi’, potentially enabling remote code execution. The vendor responded to vulnerability reports submitted between December 2023 and January 2024 with significant delays, addressing only four out of fifteen flaws to date.
WatchTowr Labs, which discovered these vulnerabilities, published detailed findings and a proof-of-concept (PoC) exploit for CVE-2024-27130. This exploit demonstrates how attackers can leverage the ‘strcpy’ function misuse in ‘No_Support_ACL’ to execute malicious code. The attack requires obtaining a valid ‘ssid’ parameter, often shared in public links, making social engineering a feasible attack vector.
QNAP has released an emergency update to fix CVE-2024-27130 and four additional vulnerabilities, with QTS 5.1.7.2770 build 20240520 and later versions. The company cited “coordination issues” for the patching delays and committed to addressing critical and high-severity flaws within 45 days moving forward. Users are urged to apply these updates immediately to mitigate the risk of exploitation and to follow best practices for network security to protect their NAS devices.
Reference:
