QTS, QuTS hero, QuTScloud

Vulnerability

CVE-2023-45037 is a buffer copy without checking size of input vulnerability in QNAP operating systems, including QTS 5.1.x, QuTS hero h5.1.x, and QuTScloud 5.x. The flaw resides in a component that processes network input, where a fixed-size buffer is used without validating the length of the source data, leading to a buffer overflow condition. The vulnerability is exploitable only by authenticated administrators who have network access to the device [1].

Exploitation

An attacker must first obtain administrative credentials for the affected QNAP device. With those credentials, the attacker can send a specially crafted network request that exceeds the expected buffer size. The request triggers a buffer copy operation that overflows the destination buffer, potentially corrupting adjacent memory. The exact sequence of steps involves authenticating as an administrator, then sending the malicious payload over the network to the vulnerable service [1].

Impact

Successful exploitation allows the authenticated administrator to execute arbitrary code on the device. This could lead to full compromise of the NAS, including data exfiltration, further lateral movement within the network, or persistent control of the device. The impact is limited to authenticated users, but the attacker gains code execution privileges at the system level [1].

Mitigation

QNAP has fixed the vulnerability in QTS 5.1.4.2596 build 20231128 and later, QuTS hero h5.1.4.2596 build 20231128 and later, and QuTScloud c5.1.5.2651 and later. Users should update to these or newer versions via the Control Panel Firmware Update or by downloading from the QNAP website. No workarounds are available, and the vulnerability is not currently listed in CISA KEV [1].