CVE-2023-50358

Name of the Vulnerable Software and Affected Versions QTS versions prior to 5.1.5.2645 build 20240116 QTS versions prior to 4.5.4.2627 build 20231225 QTS versions prior to 4.3.6.2665 build 20240131 QTS versions prior to 4.3.4.2675 build 20240131 QTS versions prior to 4.3.3.2644 build 20240131 QTS versions prior to 4.2.6 build 20240131 QuTS hero versions prior to h5.1.5.2647 build 20240118 QuTS hero versions prior to h4.5.4.2626 build 20231225 QuTScloud versions prior to c5.1.5.2651

Description An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. The vulnerability exists due to the lack of measures to neutralize special elements used in the operating system command. Researchers detected vulnerable devices from 289,665 separate IP addresses. The vulnerability is related to the Quick.cgi file and can be exploited by sending a request to the "/cgi-bin/quick/quick.cgi" endpoint. The todo parameter, specifically the set timeinfo value, and the SPECIFIC SERVER variable are involved in the exploitation. The vulnerability allows an attacker to execute arbitrary commands, potentially leading to a remote code execution attack.

Recommendations For QTS versions prior to 5.1.5.2645 build 20240116, update to QTS 5.1.5.2645 build 20240116 or later. For QTS versions prior to 4.5.4.2627 build 20231225, update to QTS 4.5.4.2627 build 20231225 or later. For QTS versions prior to 4.3.6.2665 build 20240131, update to QTS 4.3.6.2665 build 20240131 or later. For QTS versions prior to 4.3.4.2675 build 20240131, update to QTS 4.3.4.2675 build 20240131 or later. For QTS versions prior to 4.3.3.2644 build 20240131, update to QTS 4.3.3.2644 build 20240131 or later. For QTS versions prior to 4.2.6 build 20240131, update to QTS 4.2.6 build 20240131 or later. For QuTS hero versions prior to h5.1.5.2647 build 20240118, update to QuTS hero h5.1.5.2647 build 20240118 or later. For QuTS hero versions prior to h4.5.4.2626 build 20231225, update to QuTS hero h4.5.4.2626 build 20231225 or later. For QuTScloud versions prior to c5.1.5.2651, update to QuTScloud c5.1.5.2651 or later. As a temporary workaround, consider restricting access to the "/cgi-bin/quick/quick.cgi" endpoint until a patch is available. Avoid using the todo parameter with the set timeinfo value in the affected API endpoint until the issue is resolved.