Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

A benchmark test uncovered some critical vulnerabilities in thousands of QNAP devices

Concept art representing cybersecurity principles

Tens of thousands of internet-connected QNAP devices were found to be carrying two severe vulnerabilities which could have allowed threat actors to execute arbitrary code.

Cybersecurity researchers from Sternum used their runtime protection benchmark product on QNAP TS-230 NAS device, and as soon as the product was activated, it started alerting the researchers to “multiple memory access violations”. 

“In this case, the reason for the alert was multiple out-of-bounds read and write requests, performed by several memcpy functions,” the researchers explained.

Out of bounds issues

Detailing their findings, the researchers said that in the source file api-cpp, the int iface_status2interface_status function contained a memcpy call with a constant size of 46, but as the source string content for the call was an IPv6 address (which can have 39 bytes max), this leads to a potential out-of-bounds (OOB) issue. 

Furthermore, the NetworkInterface.cpp source file has the get_interface_slaac_info function with four memcpy calls with the copy size 46, which copies JSON values from buffers returned by Json::Value::asCString. The string buffers were often shorter than 46, the researcher said, which causes potential OOB issues in all four memcpy calls.

After notifying QNAP of their findings, the company acknowledged the issues and released two CVEs: CVE-2022-27597, and CVE-2022-27598. These show that the flaws affected four operating systems:  QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances). The severity scores for these two vulnerabilities have not yet been assigned. 

By conservative estimate, Sternum says, more than 80,000 connected devices worldwide are affected by these two zero-day vulnerabilities. 

The patch that QNAP released already fixed the flaws in QTS 5.0.1.2346 build 20230322 (and later), and QuTS hero h5.0.1.2348 build 20230324 (and later).

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.