====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN080
_____________________________________________________________________

DATE                : 22/03/2017

HARDWARE PLATFORM(S): QNAP NAS.

OPERATING SYSTEM(S): QTS versions prior to 4.2.4 Build 20170313.

=====================================================================
https://www.qnap.com/en/support/con_show.php?cid=113
____________________________________________________________________

Security Vulnerabilities Addressed in QTS 4.2.4 Build 20170313

Release date:      March 21, 2017
Last updated:      March 21, 2017
Bulletin           ID:NAS-201703-21
Severity rating:   Critical
Affected products: All QNAP NAS running QTS


Summary

QTS 4.2.4 Build 20170313 includes security fixes for the following
vulnerabilities:

    Configuration file vulnerability (CVE-2017-5227) reported by
Pasquale Fiorillo of the cyber security company, ISGroup
(www.isgroup.biz), a cyber security company, and Guido Oricchio of
PCego (www.pcego.com), a system integrator

    SQL injection, command injection, heap overflow, cross-site
scripting, and three stack overflow vulnerabilities reported by Peter
Kostiuk, a security researcher at Salesforce.com

    Three command injection vulnerabilities (CVE-2017-6361,
CVE-2017-6360, and CVE-2017-6359) reported by Harry Sintonen of F-Secure

    Access control vulnerability that would incorrectly restrict
authorized user access to resources

    Two stack overflow vulnerabilities that could be exploited to
execute malicious codes reported by Oliver Gruskovnjak, Security
Researcher (Salesforce.com)

    Clickjacking vulnerability that could be exploited to trick users
into clicking malicious links

    Missing HttpOnly Flag From Cookie vulnerability that could be
exploited to steal session cookies

    SNMP Agent Default Community Name vulnerability that could be
exploited to gain access to the system using the default community
string

    NMP credentials in clear text vulnerability that could be exploited
to steal user credentials

    LDAP anonymous directory access vulnerability that could be
exploited to allow anonymous connections


Solution

To fix these security vulnerabilities, install QTS 4.2.4 Build 20170313.

Installing the Update

    Log in as an administrator on your QNAP NAS.
    Go to Control Panel > System > Firmware Update.
    Under Live Update, click Check for Update.

Tip: You can also download the build from the QNAP website. Go to
Support > Download and then perform a manual update.


==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================