QNAP, a Taiwanese manufacturer of network-attached storage (NAS) devices, has issued urgent updates to address a critical security vulnerability that poses a significant risk of arbitrary code injection in its products.
This vulnerability, identified as CVE-2022-27596, has received a CVSS score of 9.8 out of 10, indicating its severity. It primarily affects versions QTS 5.0.1 and QuTS hero h5.0.1.
According to QNAP in a security advisory released recently, the flaw enables remote attackers to inject malicious code into the affected systems. While specific technical details remain limited, the NIST National Vulnerability Database (NVD) has classified it as an SQL injection vulnerability, allowing attackers to send specially crafted SQL queries to bypass security measures and access or potentially alter critical information.
As outlined by MITRE, such SQL injection attacks not only enable unauthorized reading of sensitive data but also provide avenues for unauthorized alterations or deletion of this data, further heightening the risk faced by businesses leveraging QNAP devices.
To remediate this vulnerability, QNAP has rolled out updates in versions QTS 5.0.1.2234 (build 20221201) and QuTS hero h5.0.1.2248 (build 20221215) or later. Users are strongly encouraged to log in as administrators, navigate to the Control Panel, and check for firmware updates immediately to bolster security.
According to Censys, an attack surface management firm, their recent findings indicate that nearly 30,000 QNAP devices may be vulnerable to exploitation exploiting CVE-2022-27596. The pervasive nature of such vulnerabilities, combined with increasing incidences of ransomware attacks targeting QNAP products—most notably those executed by DeadBolt—adds urgency to the need for prompt updates.
Attack vectors such as SQL injection, outlined in the MITRE ATT&CK framework under tactics like initial access and persistence, illustrate the methods adversaries might utilize in exploiting these weaknesses. By leveraging social engineering or phishing tactics, attackers can gain initial access, later employing SQL injection techniques to maintain persistence within the system.
The vulnerability’s severity and its low exploitation complexity make QNAP devices appealing targets for cybercriminals. Geographic analysis reveals that the top ten countries with potentially affected devices include the United States, Italy, Germany, Japan, South Korea, and the United Kingdom, magnifying the implications of these vulnerabilities across international borders.