6.8 - VU#927644

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	QNAP VioStor NVR firmware version 4.0.3 and QNAP NAS multiple vulnerabilities

Informations
Name	VU#927644	First vendor Publication	2013-06-05
Vendor	VU-CERT	Last vendor Modification	2013-07-02
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score	6.8	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#927644

QNAP VioStor NVR firmware version 4.0.3 and QNAP NAS multiple vulnerabilities

Original Release date: 05 Jun 2013 | Last revised: 02 Jul 2013

Overview

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS contains multiple vulnerabilities which may allow an attacker to perform administrative functions against the hosted server.

Description

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains multiple vulnerabilities which may allow an attacker to perform administrative functions against the hosted server.

CWE-284: Improper Access Control CVE-2013-0142
VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains a hardcoded guest account and password which can be leveraged to login to the webserver. It has been reported that it is not possible to view or administer the guest account using the web interface.

CWE-77: Improper Neutralization of Special Elements used in a Command CVE-2013-0143
VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains scripts which could allow any user e.g. guest users to execute scripts which run with administrative privileges. It is possible to execute code on the webserver using the ping function.
Example: http://[server-ip]/cgi-bin/pingping.cgi?ping_ip=1;whoami

CWE-352: Cross-Site Request Forgery (CSRF). CVE-2013-0144
VioStor NVR firmware version 4.0.3 and possibly earlier versions contains a cross-site request forgery vulnerability could allow an attacker to add a new administrative account to the server by tricking an administrator to click on a malicious link while they are currently logged into the webserver.
Example: http://[server-ip]/cgi-bin/create_user.cgi?OK=&function=USER&subfun=NEW&USERNAME=&NAME=attacker&PASSWD=12345&VERIFY=12345&create_user_list=admin&PTZ1=on&Audio1=on&PTZ2=on&Audio2=on&PTZ3=on&Audio3=on&PTZ4=on&Audio4=on

Impact

An authenticated (via known credentials or hardcoded guest account) attacker may be able to execute arbitrary commands or add administrative accounts to the server.

Solution

Update

QNAP has released firmware updates to address these vulnerabilities:

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions users are advised to upgrade to QNAP VioStor NVR system firmware version 4.0.3 build 6612.
QNAP NAS with the Surveillance Station Pro activated are advised to upgrade to QNAP Surveillance Station Pro to v3.0.2 or higher.

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from connecting to the service from a blocked network location.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
QNAP Security	Affected	-	17 Jun 2013

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	10.0	AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal	7.7	E:U/RL:U/RC:UC
Environmental	2.0	CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

http://www.qnapsecurity.com/AboutQNAP.asp
http://cwe.mitre.org/data/definitions/77.html
http://cwe.mitre.org/data/definitions/352.html
http://cwe.mitre.org/data/definitions/284.html
http://www.qnap.com/en/index.php?lang=en&sn=845&c=2699&sc=&n=18922
http://www.qnap.com/en/index.php?lang=en&sn=845&c=2699&sc=&n=18925

Credit

Thanks to Tim Herres and David Elze of Daimler TSS for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs:CVE-2013-0142CVE-2013-0143CVE-2013-0144
Date Public:05 Jun 2013
Date First Published:05 Jun 2013
Date Last Updated:02 Jul 2013
Document Revision:29

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/927644

CWE : Common Weakness Enumeration

%	Id	Name
33 %	CWE-352	Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
33 %	CWE-255	Credentials Management
33 %	CWE-94	Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

Type	Description	Count
Hardware	Qnap Viostor Network Video Recorder cpe:2.3:h:qnap:viostor_network_video_recorder:-:::::::*	1
Os	Qnap Viostor Network Video Recorder cpe:2.3:o:qnap:viostor_network_video_recorder:4.0.3:::::::*	1

Snort® IPS/IDS

Date	Description
2018-05-23	QNAP QTS cross site request forgery attempt RuleID : 46342-community - Revision : 3 - Type : SERVER-OTHER
2018-05-17	QNAP QTS cross site request forgery attempt RuleID : 46342 - Revision : 3 - Type : SERVER-OTHER
2018-05-23	QNAP VioStor NVR and QNAP NAS command injection attempt RuleID : 46300-community - Revision : 3 - Type : SERVER-WEBAPP
2018-05-15	QNAP VioStor NVR and QNAP NAS command injection attempt RuleID : 46300 - Revision : 3 - Type : SERVER-WEBAPP
2018-05-23	QNAP VioStor NVR and QNAP NAS command injection attempt RuleID : 46299-community - Revision : 3 - Type : SERVER-WEBAPP
2018-05-15	QNAP VioStor NVR and QNAP NAS command injection attempt RuleID : 46299 - Revision : 3 - Type : SERVER-WEBAPP
2018-05-23	QNAP VioStor NVR and QNAP NAS command injection attempt RuleID : 46298-community - Revision : 3 - Type : SERVER-WEBAPP
2018-05-15	QNAP VioStor NVR and QNAP NAS command injection attempt RuleID : 46298 - Revision : 3 - Type : SERVER-WEBAPP
2018-05-23	QNAP VioStor NVR and QNAP NAS command injection attempt RuleID : 46297-community - Revision : 3 - Type : SERVER-WEBAPP
2018-05-15	QNAP VioStor NVR and QNAP NAS command injection attempt RuleID : 46297 - Revision : 3 - Type : SERVER-WEBAPP

Alert History

If you want to see full details history, please login or register.

Date	Informations
2013-07-03 00:18:12	Multiple Updates
2013-06-17 17:18:05	Multiple Updates
2013-06-10 17:23:05	Multiple Updates
2013-06-08 13:22:15	Multiple Updates
2013-06-05 21:19:14	First insertion

Global Informations

Type	Count
CWE ID(s)	3
CPE ID(s)	2
Snort® Rule(s)	10

	Related
6.8	CVE-2013-0144
6.5	CVE-2013-0143
5	CVE-2013-0142
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 3 more Alert(s)