QNAP fixes critical QVR remote command execution vulnerability


QNAP has released several security advisories today, one of them for a critical security issue that allows remote execution of arbitrary commands on vulnerable QVR systems, the company’s video surveillance solution hosted on a NAS device.

The QVR IP video surveillance system supports multiple feed channels and cross-platform video decoding and it is designed for monitoring both home and office environments.

The vulnerability is tracked as CVE-2022-27588 and has a critical severity score of 9.8. It impacts QVR versions older than 5.1.6 build 20220401.

QNAP’s advisory explains that the “vulnerability has been reported to affect QNAP VS Series NVR running QVR. If exploited, this vulnerability allows remote attackers to run arbitrary commands.”

This type of security flaw allows a threat actor to execute commands on the target to change settings, access sensitive information, or take control of the device. Depending on the context, it could also be used to get deeper in the network.

As we have seen in the pastcritical vulnerabilities in QNAP systems are leveraged almost immediately in cyberattacks when an exploit becomes publicly available.

BleepingComputer has reached out to QNAP to request information on whether CVE-2022-27588 is actively exploited and we will update the article with the company’s response.

Multiple QNAP fixes

Apart from the critical issue in QVR, QNAP also addressed eight vulnerabilities in other products, with severity ratings between medium and high.

Here is the complete list of fixes:

  • CVE-2022-27588: Critical-severity RCE in QNAP QVR
  • CVE-2021-38693: Medium-severity path traversal vulnerability in thttpd, affecting QTS, QuTS hero, and QuTScloud.
  • CVE-2021-44055: Medium severity flaw allowing remote access of data in some Video Station versions.
  • CVE-2021-44056: Medium severity flaw allowing remote access of data in some Video Station versions.
  • CVE-2021-44057: High-severity vulnerability in QNAP NAS running Photo Station.
  • CVE-2021-44051: High-severity command injection flaw that allows arbitrary remote command execution in QTS, QuTS hero, and QuTScloud.
  • CVE-2021-44052: High-severity link resolution flaw that allows malicious file actions in QTS, QuTS hero, and QuTScloud.
  • CVE-2021-44053: High-severity cross-site scripting (XSS) flaw that allows remote code injection in QTS, QuTS hero, and QuTScloud.
  • CVE-2021-44054: High-severity open-redirect vulnerability that allows user redirection to a malware-laced page in QTS, QuTS hero, and QuTScloud.

For more information on the impacted versions and those that incorporate the security updates, click on the corresponding CVE numbers above.

At this time, QNAP has not provided mitigation guidance, so the recommended action is to update your software to the latest available version.


Original Article reposted fromSource link

Disclaimer: The website autopost contents from credible news sources and we are not the original creators. If we Have added some content that belongs to you or your organization by mistake, We are sorry for that. We apologize for that and assure you that this won’t be repeated in future. If you are the rightful owner of the content used in our Website, please mail us with your Name, Organization Name, Contact Details, Copyright infringing URL and Copyright Proof (URL or Legal Document) aT spacksdigital @ gmail.com

I assure you that, I will remove the infringing content Within 48 Hours.

Leave a Reply

Your email address will not be published.

Tech

Top Streaming Platform to Upload a Podcast

The world has moved from an obscure form of simple media recorded to complete studio setups that boost their reach per podcast. No one can deny the power of podcasting in today’s digital world. The beauty of podcasting is that it enables you to use a humble setup to reach your targeted audience. However, it’s […]

Read More
Tech

Buildots raises $60M Series C funding in red-hot construction software market

Buildots Ltd.the developer of a construction management application, said it has raised $ 60 million in a Series C venture capital round, bringing its total funding to $ 106 million. The Tel Aviv-based firm’s software collects data from cameras mounted on hardhats and compares it to schedule information to flag mistakes in real-time. Founded in […]

Read More
Tech

Seven interesting pieces of tech on modern construction sites

As more technologies emerge in the construction industry, it can be a challenge to keep up with them. However, these new construction technologies hold great promise for companies, as they can improve several aspects of the construction process. Estimated reading time: 5 minutes For example, new tech can increase worker productivity and safety, speed up […]

Read More