The Network Attached Storage (NAS) devices manufacturer giant QNAP published an advisory on 30th June 2023 in which QNAP announced a critical code injection vulnerability in QNAP NAS devices. The vulnerability tracked under this identifier CVE-2022-27596 is a Critical severity vulnerability with a CVSS score of 9.8 out of 10. Technical details behind the flaw are not confirmed yet. Since this flaw allows an attacker to carry out remote code execution attacks just by sending crafted SQL queries, it is most important to fix the CVE-2022-27596 vulnerability. Let’s see how to fix CVE-2022-27596, a Code Injection vulnerability in QNAP NAS devices that lead to an RCE attack.
A Short Introduction About QNAP NAS
QNAP NAS, a familiar name in the world of network-attached storage, is the go-to choice for those seeking dependability and versatility. Whether you’re a home user seeking to store precious memories or a business owner looking for robust storage solutions, QNAP has got you covered. Boasting a diverse lineup of models, from basic to top-of-the-line, QNAP offers options to meet every need. But that’s not all. This storage giant also supports a multitude of protocols, making it a flexible and efficient storage solution for a variety of use cases – personal and professional alike.
QTS 5.x and QuTS hero h5..x:
Step into the future of data management with QTS 5.x- the cutting-edge operating system from QNAP Systems Inc. Designed for their NAS devices, QTS 5.x boasts a user-friendly interface and a vast array of applications to aid in the management, protection, and sharing of digital assets. This futuristic operating system packs in advanced features such as virtualization, containerization, and disaster recovery – ensuring data security and a seamless storage experience for all users.
For businesses seeking maximum value from their data, there’s QuTS hero h5.x – a high-performance version of QTS 5.x optimized for the QuTS hero series NAS devices. This powerhouse OS combines the best of QTS 5.x with innovative hardware and a unique data management architecture, delivering exceptional performance, reliability, and scalability. QuTS hero h5.x comes equipped with advanced storage features, including storage pooling, data backup and recovery, and disaster recovery solutions, making it the ultimate choice for businesses that demand the very best in data management solutions.
Summary of CVE-2022-27596
This is a critical severity Code Injection vulnerability in QNAP NAS operating systems which as got a CVSS score of 9.8 out of 10 on the scale. The successful exploitation of this code injection vulnerability would allow a remote attacker to perform arbitrary code execution attacks. As per the advisory published by QNAP, this flaw could be exploitable just by sending crafted SQL queries. Attackers could abuse this vulnerability to bypass security controls, unauthorized access or sometimes alter valuable information on the vulnerable versions of QNAP NAS operating systems.
|Associated CVE ID||CVE-2019-27596|
|Description||A Code Injection Vulnerability in QNAP NAS Devices that Lead to RCE Attack|
|Associated ZDI ID||–|
|CVSS Score||9.8 Critical|
|Attack Vector (AV)||Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||None|
|User Interaction (UI)||None|
QNAP NAS OS Vulnerable to CVE-2022-27596:
This flaw affects all the QNAP devices runs on QTS 5.0.1 and QuTS hero h5.0.1.
- QTS 5.0.1
- QuTS hero h5.0.1.
How to Fix CVE-2022-27596- A Code Injection Vulnerability in QNAP NAS Devices That Lead to RCE Attack?
Well, the vendor has released the patch to fix the CVE-2022-27596, a critical Code Injection vulnerability. Please upgrade your QNAP OS to these fixed versions. We always recommend regular upgrades and keeping your device to the latest version.
- QTS 18.104.22.1684 build 20221201 and later
- QuTS hero h22.214.171.1248 build 20221215 and later
Follow This Procedure To upgrade QNAP NAS QTS, QuTS Hero, OR QuTScloud From The Console:
- Log on to QTS, QuTS hero, or QuTScloud as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS, QuTS hero, or QuTScloud downloads and installs the latest available update by themselves.
Follow this procedure to upgrade QNAP from the software center:
- Go to Support > Download Center to download the update from the QNAP website.
- Perform a manual update for your specific device.
This simple procedure completes the upgradation procedure.