QNAP Photo Station Multiple Vulnerabilities (NAS-201911-25)

2022-06-1300:00:00

www.tenable.com

JSON

The version of Photo Station running on the remote QNAP NAS is affected by multiple vulnerabilities, as follows:

This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. To fix the vulnerability, QNAP recommend updating QTS to their latest versions. (CVE-2019-7193)
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
(CVE-2019-7192)
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
(CVE-2019-7194, CVE-2019-7195)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(162137);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/08/12");

  script_cve_id(
    "CVE-2019-7192",
    "CVE-2019-7193",
    "CVE-2019-7194",
    "CVE-2019-7195"
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/06/22");

  script_name(english:"QNAP Photo Station Multiple Vulnerabilities (NAS-201911-25)");

  script_set_attribute(attribute:"synopsis", value:
"A photo gallery application running on the remote NAS is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Photo Station running on the remote QNAP NAS is affected by multiple vulnerabilities,
as follows:

  - This improper input validation vulnerability allows remote attackers to inject arbitrary code to the
    system. To fix the vulnerability, QNAP recommend updating QTS to their latest versions. (CVE-2019-7193)

  - This improper access control vulnerability allows remote attackers to gain unauthorized access to the
    system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
    (CVE-2019-7192)

  - This external control of file name or path vulnerability allows remote attackers to access or modify
    system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
    (CVE-2019-7194, CVE-2019-7195)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.qnap.com/zh-tw/security-advisory/nas-201911-25");
  script_set_attribute(attribute:"solution", value:
"See vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-7193");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-7195");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/11/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/06/13");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:qnap:photo_station");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:qnap:photo_station");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("qnap_photostation_detect.nbin", "qnap_qts_quts_hero_web_detect.nbin", "qnap_qts_installed.nbin");
  script_require_ports("Services/www", 8080, "installed_sw/QNAP QTS", "installed_sw/QNAP Photo Station");

  exit(0);
}

include('vcf.inc');
include('install_func.inc');

var qts_installs = get_combined_installs(app_name:'QNAP QTS');

if (qts_installs[0] != IF_OK || max_index(qts_installs[1]) < 1)
  audit(AUDIT_HOST_NOT, 'affected');

# Only 1 install of QTS is possible per target
var qts_install = qts_installs[1][0];
var qts_version = qts_install.version;

# Photo Station fixed ver depends on QTS version
var constraints;
if (qts_version =~ "4\.2\.6([^0-9]|$)")
  constraints = [{'fixed_version' : '5.2.11'}];
else if (qts_version =~ "4\.3\.[0-3]([^0-9]|$)")
  constraints = [{'fixed_version' : '5.4.9'}];
else if ( (ver_compare(ver:qts_version, fix:'4.3.4') >= 0) &&
          (ver_compare(ver:qts_version, fix:'4.4.0') <=0))
  constraints = [{'fixed_version' : '5.7.10'}];
else if (qts_version =~ "4\.4\.1([^0-9]|$)")
  constraints = [{'fixed_version' : '6.0.3'}];
else
  audit(AUDIT_HOST_NOT, 'affected');

var app = vcf::combined_get_app_info(app:'QNAP Photo Station');

vcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_HOLE);

VendorProductVersionCPE
qnapphoto_stationcpe:/a:qnap:photo_station
qnapphoto_stationcpe:/h:qnap:photo_station

Vendor	Product	Version	CPE
qnap	photo_station		cpe:/a:qnap:photo_station
qnap	photo_station		cpe:/h:qnap:photo_station

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7192

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7193

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7194

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7195

www.qnap.com/zh-tw/security-advisory/nas-201911-25

JSON

Related for QNAP_PHOTOSTATION_6_0_3.NASL