If exploited, the security flaws allowed pre-authenticated RCE

An attack chain of bugs leading to remote code execution (RCE) on QNAP NAS devices has been resolved in QNAP's MusicStation and Malware Remover software.

An attack chain of bugs leading to remote code execution (RCE) on QNAP NAS devices has been resolved in QNAP’s MusicStation and Malware Remover software.

QNAP’s Music Station is a web application for managing music stored on a NAS device via the cloud, a technology installed on over five million devices. Malware Remover is an antivirus app ecosystem designed to protect QNAP NAS products.

Catch up on the latest cybersecurity research news

In a security advisory dated May 19, researchers at Italian security consultancy Shielder disclosed two vulnerabilities that could be chained to perform “pre-auth remote root command execution” if exploited by attackers.

The first vulnerability, tracked as CVE-2020-36197 and issued a CVSS severity score of 7.1, is an improper access control and arbitrary write security flaw in Music Station. The researchers found that the software’s album cover art upload function (arttype), musicstation/api/upload.php, did not stop the transfer of crafted, malicious files.

Upon parsing the arttype request parameter, the file is run on the root level in the QTS file system.

Music Station versions prior to 5.3.16 (QTS 4.5.2), before 5.2.10 (QTS 4.3.6) 5.1.14 and below (QTS 4.3.3), versions prior to 5.3.16 (QuTS h4.5.2), and versions 5.3.16 and below (QuTScloud c4.5.4) are all impacted.

Strike two

The second vulnerability, tracked as CVE-2020-36198, is a command injection bug which could allow attackers to run arbitrary commands by abusing an automatic scan mechanism.

The default app contains 19 modules that are mainly in pyc format, and one of these functions, modules/02_autoupgrade.pyc, is vulnerable to command injection and an arbitrary file write in an arbitrary file path -- both of which can be abused to obtain RCE as root.

Malware Remover versions prior to are affected.

“By chaining both issues it’s possible to gain pre-auth remote code execution with root privileges on a remote QNAP NAS,” Shielder says.

The critical vulnerabilities were reported through Trend Micro’s Zero Day Initiative (ZDI) and the vendor was made aware of the researchers’ findings in January 2021.

QNAP has resolved both vulnerabilities (1, 2), urging customers to update their software to the latest versions available as soon as possible.

The Daily Swig has reached out to QNAP for comment. We’ll update this story as and when we hear back.

RELATED QNAP fixes critical RCE vulnerabilities in NAS devices