Security News > 2021 > April > Exploit Released for Critical Vulnerability Affecting QNAP NAS Devices
An exploit is now publicly available for a remote code execution vulnerability affecting QNAP network-attached storage devices that run the Surveillance Station video management system.
The bug, specifically a memory corruption issue, was found to impact QNAP NAS devices running Surveillance Station versions 5.1.5.4.2 and 5.1.5.3.2, and was addressed in February this year.
Tracked as CVE-2020-2501, this security hole is a stack-based buffer overflow that could be abused by remote attackers to execute code on an affected system, without authentication.
In its advisory, QNAP credits an independent researcher for finding and reporting the flaw, but does not provide further details on the issue itself or on its exploitation.
This week, vulnerability hunting and disclosure company SSD Secure Disclosure published additional details on the vulnerability, as well as exploit code to demonstrate how attacks targeting it work.
An attacker could send a specially crafted HTTP request to a vulnerable QNAP NAS device, which would overflow an internal buffer that the Surveillance Station plugin uses, thus achieving arbitrary code execution.
News URL
Related news
- PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389) (source)
- Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002) (source)
- QNAP QTS zero-day in Share feature gets public RCE exploit (source)
- 15 QNAP NAS bugs and one PoC disclosed, update ASAP! (CVE-2024-27130) (source)
- QNAP Patches New Flaws in QTS and QuTS hero Impacting NAS Appliances (source)
- PoC exploits for critical FortiSIEM command execution flaws released (CVE-2024-23108, CVE-2023-34992) (source)
- FlyingYeti Exploits WinRAR Vulnerability to Deliver COOKBOX Malware in Ukraine (source)
- Exploit for critical Progress Telerik auth bypass released, patch now (source)
- Emergency patches released for critical vulns impacting EOL Zyxel NAS boxes (source)
- Zyxel patches critical flaws in EOL NAS devices (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-02-17 | CVE-2020-2501 | Out-of-bounds Write vulnerability in Qnap Surveillance Station A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. | 7.5 |