Remote Code Execution vulnerability in Photo Station affects over 450,000 QNAP NAS devices
QNAP Systems stands for Quality Network Appliance Provider which is a manufacturer of network appliance and storage solutions; the company specializes in hardware systems for file sharing, storage management, virtualization, and cloud services, as well as surveillance applications for home and businesses. The company offers a range of products for various environments, from SOHO to enterprise-scale companies.
The QNAP systems contain a vulnerability that can take access over its data remotely, the flaw resides in the Photo Station, a photo album app that comes preinstalled with all recent versions of QNAP NAS systems.
According to a report, the Photo Station app is installed on around 80% of all QNAP NAS systems; that is around 450k devices. These systems are vulnerable to remote takeover attacks.
A security researcher has found that there are 4 vulnerabilities present in the QNAP systems. 3 vulnerabilities belong to the Photo station and 1 to the QTS app (file manager app).
- CVE-2019-7192 (CVSS 9.8) (Photo Station bug)
- CVE-2019-7194 (CVSS 9.8) (Photo Station bug)
- CVE-2019-7195 (CVSS 9.8) (Photo Station)
- CVE-2019-7193 (CVSS 9.8) (QTS app bug, unrelated)
The researcher said the three Photo Station bugs can be chained together to bypass authentication (bug #1), insert malicious code in the Photo Station app PHP session (bug #2), and then install a web shell on unpatched QNAP devices (bug #3).
According to research, the Photo Station app runs with root privileges, by the help of 3 vulnerabilities attackers can exploit the three bugs to take full control over QNAP devices.
To avoid getting affected by those vulnerabilities users need to update the QNAP firmware and then update the Photo Station and QTS app from the QNAP store. If Users can’t update, it’s recommended that they disconnect devices from the internet to avoid attacks from botnets or ransomware gangs.