Researchers found an array of high severity vulnerabilities in network storage vendor QNAP’s web console, which could enable an authenticated attacker to gain privileges and execute arbitrary commands on the system.
The web-based platform, Q’center, allows users to manage network attached storage across multiple sites. According to SecureAuth and CoreSecurity’s security advisory, issued Wednesday, Q’center version 1.6.1056 and Q’center version 1.6.1075 are impacted.
“Multiple vulnerabilities were found in the QCenter web console that would allow an attacker to execute arbitrary commands on the system,” researchers said. “QNAP’s QCenter web console includes a functionality that would allow an authenticated attacker to elevate privileges on the system.”
QNAP said in a security advisory that it has fixed the issues in Q’center Virtual Appliance version 1.7.1083 and later, and urged customers to update to the latest version.
Researchers discovered five vulnerabilities total, including an information exposure issue in an API endpoint of the web application that allows privilege escalation; and four command-injection issues in different admin functions and setting configurations.
Researchers found the privilege escalation flaw (CVE-2018-0706) in the application’s API endpoint, which functions to return information about the accounts defined in the database.
An authenticated user can access that endpoint and view the information that is being returned, researchers said. There they can see an extra field (that’s labeled “new_password”) that contains the password for the administrator, encoded in base64.
“Any authenticated user could access this API endpoint and retrieve the admin user’s password, therefore being able to login as an administrator,” researchers said.
From there, four command execution flaws could enable an attacker to inject commands in the password input.
One of these command execution vulnerabilities (CVE-2018-0707) enables hackers to tweak the “change password” function for the administrative user.
When the admin user performs a password change, the application executes an OS command to impact the changes. Due to the flaw, the input is not properly sanitized when passed down to the OS, allowing an attacker to run arbitrary commands, researchers said.
“The API requires to send the password encoded in base64,” researchers said. “This makes a lot easier to inject command as we do not need to bypass any filters. For the admin user in the web application, there is also a backing user present on the OS.”
Once a hacker obtains the OS password from the privilege escalation vulnerability, they can modify the network configuration.
However, even beyond that, researchers discovered multiple flaws in the web console could also enable users with a “Power User” profile could also execute various functions, despite not having access in the web application interface.
This profile is also capable of modifying the SSH configuration via a command execution bug (CVE-2018-0710) in SSH settings configuration update; modifying the network configuration (CVE-2018-0708) and modifying the date configuration (CVE-2018-0709).
Core Security first notified QNAP about the flaws March 13, including a draft advisory. Researchers said other products and versions might be affected, but they were not tested.The vulnerabilities were discovered by Ivan Huertas from Core Security Consulting Services.
To update Q’Center Virtual Appliance, customers can go to qnap.com/utilities on their web browser, and download the Q’Center Virtual Appliance Patch.