QNAP Photo Station Externally Controlled Reference Vulnerability
QNAP (Quality Network Appliance Provider) is a Taiwanese corporation that specializes in Network Attached Storage (NAS) appliances used for file sharing, virtualization, storage management and surveillance applications.
QNAP’s Photo Station is a private cloud photo storage , service that can centrally store and manage full resolution photos across all devices with QNAP NAS.
QNAP Photo Station Externally Controlled Reference | CVE-2022-27593
An externally controlled reference to a resource vulnerability exists in QNAP NAS systems that are running Photo Station. If exploited, this could allow an attacker to modify system files. SonicWall Capture Labs threat research team has observed this vulnerability being exploited in the wild.
Following versions are vulnerable:
- QTS 5.0.1: Photo Station 6.1.2
- QTS 5.0.0/4.5.x: Photo Station 6.0.22
- QTS 4.3.6: Photo Station 5.7.18
- QTS 4.3.3: Photo Station 5.4.15
- QTS 4.2.6: Photo Station 5.2.14
According to CWE , Externally Controlled Reference Vulnerability means the product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Following is an example of exploit:
This vulnerability can be exploited by remote, unauthenticated attackers without any user interaction.
The CVSS(Common Vulnerability Scoring System) score is 9.1 with Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
- Attack vector is network.
- Attack complexity is low.
- Privileges required is none.
- User interaction is none.
- Scope is unchanged.
- Impact of this vulnerability on data confidentiality is none.
- Impact of this vulnerability on data integrity is high.
- Impact of this vulnerability on data availability is high.
QNAP has patched this vulnerability.
Querying Shodan shows numerous QNAP devices, many of which many are still vulnerable.
SonicWall Capture Labs provides protection against this threat via following signature:
- IPS 15790:QNAP Photo Station Externally Controlled Reference