=====================================================================

                                  CERT-Renater

                       Note d'Information No. 2023/VULN532

_____________________________________________________________________

DATE                : 12/12/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): QVR Firmware versions 5.x.

=====================================================================
https://www.qnap.com/fr-fr/security-advisory/qsa-23-48
_____________________________________________________________________

Security ID : QSA-23-48
Vulnerability Affecting Legacy VioStor NVR

     Release date : December 9, 2023

     CVE identifier : CVE-2023-47565

     Affected products: QVR Firmware 4.x

Severity
High

Status
Resolved


Summary

An OS command injection vulnerability has been found to affect
legacy QNAP VioStor NVR models running QVR Firmware 4.x. If
exploited, the vulnerability could allow authenticated users
to execute commands via a network.

We have already fixed the vulnerability in QVR Firmware 5.0.0
on June 21, 2014:

   Affected Product        Fixed Version
QVR Firmware 4.x        QVR Firmware 5.x and later


Recommendation

To mitigate the vulnerability, ensure you apply strong passwords
for all user accounts.

To further secure your device, we highly recommend updating QVR
to the latest version.

Changing User Passwords in QVR

     Log on to QVR.
     Go to Control Panel > Privilege > Users.
     Identify the user you want to edit.
     Note: Only administrators can change the passwords of other
users.
     Click the Change Password icon.
     Specify a new, strong password.
     Verify the password.
     Click Apply.

Updating QVR Firmware

     Log on to QVR as an administrator.
     Go to Control Panel > System Settings > Firmware Update.
     Select the Firmware Update tab.
     Click Browse... to upload the latest firmware file.
     Tip: Download the latest firmware file for your specific
model from https://www.qnap.com/go/download. Select
"Legacy NVR" to locate your model.
     Click Update System.
     QVR installs the update.

   Attachment

     CVE-2023-47565.json

Acknowledgements: Chad Seaman and Larry Cashdollar of Akamai
Technologies reported this vulnerability to CISA.


Revision History:
V1.0 (December 09, 2023) - Published



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================