QNAP is warning customers to install QTS and QuTS firmware updates that fix a critical security vulnerability allowing remote attackers to inject malicious code on QNAP NAS devices.
The vulnerability is tracked as CVE-2022-27596 and rated by the company as ‘Critical’ (CVSS v3 score: 9.8), impacting QTS 5.0.1 and QuTS hero h5.0.1 versions of the operating system.
“A vulnerability has been reported to affect QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. If exploited, this vulnerability allows remote attackers to inject malicious code,’ warns the QNAP security advisory.
The vendor hasn’t disclosed many details about the vulnerability or its exploitation potential, but the NIST portal describes it as a SQL injection flaw.
SQL injection flaws allow attackers to send specially crafted requests on vulnerable devices to modify legitimate SQL queries to perform unexpected behavior.
Furthermore, QNAP released a JSON file describing the severity of the vulnerability, which indicates it is exploitable in low-complexity attacks by remote attackers, without requiring user interaction or privileges on the targeted device.
QNAP says users’ devices running on QTS and QuTS hero should upgrade to the following versions to remain safe:
QTS 220.127.116.114 build 20221201 and later
QuTS hero h18.104.22.1688 build 20221215 and later
To perform the update, customers can log into their devices as the admin user and go to “Control Panel → System → Firmware Update.”
Under the “Live Update” section, click the “Check for Update” option and wait for the download and installation to complete.
Alternatively, QNAP users may download the update from QNAP’s Download Center after selecting the correct product type and model and applying it manually on their devices.
QNAP’s advisory has not marked CVE-2022-27596 as actively exploited in the wild.
However, due to the flaw’s severity, users are recommended to apply available security updates as soon as possible, as threat actors actively target QNAP vulnerabilities.
QNAP devices are already the target of ongoing ransomware campaigns known as DeadBolt and eCh0raix, which are known to abuse vulnerabilities to encrypt data on exposed NAS devices.