Executive Summary

Summary
Title QNAP Signage Station and iArtist Lite contain multiple vulnerabilities
Informations
Name VU#444472 First vendor Publication 2016-02-25
Vendor VU-CERT Last vendor Modification 2016-02-25
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score 9 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#444472

QNAP Signage Station and iArtist Lite contain multiple vulnerabilities

Original Release date: 25 Feb 2016 | Last revised: 25 Feb 2016

Overview

The QNAP Signage Station prior to version 2.0.1 and the accompanying iArtist Lite application contain multiple vulnerabilities.

Description

CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2015-6022

An authenticated attacker without administrative permissions may upload a malicious file, such as a PHP script, to the QNAP Signage Station server. The attacker is then able to access the uploaded file via a predictable URL and execute the script. The script is executed on the server with administrator permissions.

CWE-290: Authentication Bypass by Spoofing - CVE-2015-6036

An unauthenticated attacker may spoof an HTTP request to the QNAP Signage Station in such a manner as to bypass authentication, allowing the attacker to perform actions such as upload files.

CWE-798: Use of Hard-coded Credentials - CVE-2015-7261
CWE-523: Unprotected Transport of Credentials

QNAP iArtist Lite contains a hard-coded FTP account and password, and uses these credentials to communicate with Signage Station. FTP transmits all data in plain text and is not secure from attackers eavesdropping on the network.

CWE-427: Uncontrolled Search Path Element - CVE-2015-7262

QNAP iArtist Lite allows a user to register a binary with the iArtist service, which will be executed with SYSTEM privileges upon next system restart.

Impact

An unauthenticated user may be able to execute commands on the server with system privileges.

Solution

Apply an update

QNAP has released Signage Station 2.0.1 and iArtist Lite 1.4.54 to address this issue. Affected users are encouraged to update as soon as possible.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
QNAPAffected23 Sep 201516 Oct 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base9.0AV:N/AC:L/Au:S/C:C/I:C/A:C
Temporal7.4E:F/RL:OF/RC:C
Environmental5.6CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://cwe.mitre.org/data/definitions/290.html
  • http://cwe.mitre.org/data/definitions/434.html
  • http://cwe.mitre.org/data/definitions/798.html
  • http://cwe.mitre.org/data/definitions/427.html

Credit

Thanks to Mark Woods for reporting these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2015-6022CVE-2015-6036CVE-2015-7261CVE-2015-7262
  • Date Public:25 Feb 2016
  • Date First Published:25 Feb 2016
  • Date Last Updated:25 Feb 2016
  • Document Revision:60

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/444472

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-255 Credentials Management
50 % CWE-18 Source Code

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Snort® IPS/IDS

Date Description
2018-05-23 QNAP QTS hard coded credential access attempt
RuleID : 46335-community - Revision : 3 - Type : SERVER-OTHER
2018-05-17 QNAP QTS hard coded credential access attempt
RuleID : 46335 - Revision : 3 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

Date Description
2016-03-25 Name : The remote host contains a PHP script that is affected by an arbitrary file u...
File : signagestation_upload.nasl - Type : ACT_DESTRUCTIVE_ATTACK

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
Date Informations
2016-03-26 13:26:28
  • Multiple Updates
2016-03-11 21:30:48
  • Multiple Updates
2016-03-09 21:29:27
  • Multiple Updates
2016-03-09 00:28:42
  • Multiple Updates
2016-03-03 00:24:58
  • Multiple Updates
2016-02-27 09:28:33
  • Multiple Updates
2016-02-25 21:29:06
  • Multiple Updates
2016-02-25 21:23:59
  • First insertion