A benchmark test uncovered some critical vulnerabilities in thousands of QNAP devices

Concept art representing cybersecurity principles
(Image credit: Shutterstock / ZinetroN)

Tens of thousands of internet-connected QNAP devices were found to be carrying two severe vulnerabilities which could have allowed threat actors to execute arbitrary code.

Cybersecurity researchers from Sternum used their runtime protection benchmark product on QNAP TS-230 NAS device, and as soon as the product was activated, it started alerting the researchers to “multiple memory access violations”. 

“In this case, the reason for the alert was multiple out-of-bounds read and write requests, performed by several memcpy functions,” the researchers explained.

Out of bounds issues

Detailing their findings, the researchers said that in the source file api-cpp, the int iface_status2interface_status function contained a memcpy call with a constant size of 46, but as the source string content for the call was an IPv6 address (which can have 39 bytes max), this leads to a potential out-of-bounds (OOB) issue. 

Furthermore, the NetworkInterface.cpp source file has the get_interface_slaac_info function with four memcpy calls with the copy size 46, which copies JSON values from buffers returned by Json::Value::asCString. The string buffers were often shorter than 46, the researcher said, which causes potential OOB issues in all four memcpy calls.

After notifying QNAP of their findings, the company acknowledged the issues and released two CVEs: CVE-2022-27597, and CVE-2022-27598. These show that the flaws affected four operating systems:  QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances). The severity scores for these two vulnerabilities have not yet been assigned. 

By conservative estimate, Sternum says, more than 80,000 connected devices worldwide are affected by these two zero-day vulnerabilities. 

The patch that QNAP released already fixed the flaws in QTS build 20230322 (and later), and QuTS hero h5.0.1.2348 build 20230324 (and later).

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.