The fact is that three of the four problems found were related to the preinstalled Photo Station photo album application. This application can be found on 80% of Qnap devices. As a result, according to the researcher, the approximate number of vulnerable devices is about 450,000 (based on data from the Shodan IoT search engine and an expert’s own rough estimate).
As mentioned above, three vulnerabilities affect the Photo Station application (versions prior to 6.0.3, 5.2.11, 5.4.9), and the fourth bug is related to QTS file manager application. All four problems scored 9.8 points on the CVSS vulnerability rating scale, that is, they have critical status:
- CVE-2019-7192(Photo Station);
- CVE-2019-7194(Photo Station);
- CVE-2019-7195(Photo Station);
- CVE-2019-7193 (QTS file manager).
Worse, the three vulnerabilities in Photo Station can be combined into a single chain: bypass authentication using CVE-2019-7192, inject malicious code into the PHP session of the Photo Station application using CVE-2019-7194, and then set the web shell to the vulnerable device by applying CVE-2019-7195. Since Photo Station works with root privileges, the attacker gets the opportunity to establish full control over the problematic Qnap device.
Juan writes that he discovered these vulnerabilities and reported them to Qnap representatives in June 2019. Company fixed All the bugs were found and updated by Photo Station and QTS in November 2019, but the expert waited several months before disclosing the data about the bugs, as he wanted to give users more time to install the patches. I note that updating QTS will require updating the firmware of the device, while updating Photo Station is available through the Qnap Application Center.