Security News > 2021 > April > Exploit Released for Critical Vulnerability Affecting QNAP NAS Devices
An exploit is now publicly available for a remote code execution vulnerability affecting QNAP network-attached storage devices that run the Surveillance Station video management system.
The bug, specifically a memory corruption issue, was found to impact QNAP NAS devices running Surveillance Station versions 5.1.5.4.2 and 5.1.5.3.2, and was addressed in February this year.
Tracked as CVE-2020-2501, this security hole is a stack-based buffer overflow that could be abused by remote attackers to execute code on an affected system, without authentication.
In its advisory, QNAP credits an independent researcher for finding and reporting the flaw, but does not provide further details on the issue itself or on its exploitation.
This week, vulnerability hunting and disclosure company SSD Secure Disclosure published additional details on the vulnerability, as well as exploit code to demonstrate how attacks targeting it work.
An attacker could send a specially crafted HTTP request to a vulnerable QNAP NAS device, which would overflow an internal buffer that the Surveillance Station plugin uses, thus achieving arbitrary code execution.
News URL
Related news
- QNAP addresses critical flaws across NAS, router software (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- QNAP fixes NAS backup software zero-day exploited at Pwn2Own (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- D-Link won’t fix critical flaw affecting 60,000 older NAS devices (source)
- Week in review: Zero-click flaw in Synology NAS devices, Google fixes exploited Android vulnerability (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-02-17 | CVE-2020-2501 | Out-of-bounds Write vulnerability in Qnap Surveillance Station A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. | 9.8 |