Taiwan-based QNAP Systems fixed a Remote Code Execution (RCE) vulnerability affecting an application used by many Network Attached Storage (NAS) devices. According to an advisory published by the company, it fixed a stack-based buffer overflow vulnerability in the Surveillance Station application. "If exploited, this vulnerability allows attackers to execute arbitrary code," QNAP said, asking users of their NAS devices to update Surveillance Station to the latest version as soon as possible.
Software vulnerabilities
Surveillance Station is QNAP's network video surveillance (VMS) management system that allows users to manage and monitor multiple IP cameras. Exploiting the RCE vulnerability would also reportedly allow perpetrators to subvert any security software or anti-malware scanners running on the compromised NAS device. In addition to the critical RCE vulnerability, QNAP reportedly also fixed a medium severity cross-site scripting (XSS) vulnerability that affected another of its most-used applications. According to QNAP, if exploited, the XSS vulnerability in the Photo Station app, which is used to download and display images on the NAS device, allowed remote attackers to inject malicious code. QNAP has released updates for the Surveillance Station and Photo Station apps to address their respective vulnerabilities. NAS devices are often targeted by threat actors because they are often a treasure trove of sensitive documents and files. QNAP has been the target of several malicious campaigns targeting its devices, recently warning users of crypto-mining malware Dovecat that it specifically targeted Internet-facing QNAP devices with weak passwords to use for cryptocurrency mining. Via: BleepingComputer