CVE-2023-51364, CVE-2023-51365 in QNAP QTS — Remote Code Execution

• QNAP Security Advisory (QSA-24-14)

Summary

A chain of vulnerabilities in QNAP NAS devices allowed a local or remote attacker to reliably gain code execution with root privilege.

It affected multiple QNAP operating system versions:

• QTS < 5.1.4.2596
• QTS < 4.5.4.2627
• QuTS hero < h5.1.3.2578
• QuTS hero < h4.5.4.2626
• QuTScloud < c5.1.5.2651

Details

The chain of vulnerabilities was demonstrated during Pwn2Own Toronto 2023 against the QNAP TS-464, and leveraged three bugs:

1. a path traversal in the share.cgi component that allowed creating a file with arbitrary path;
2. an authentication bypass in blobRequest.cgi;
3. a command injection during log upload in blobRequest.cgi through a controlled file name.