Lucene search

K
zdiTeam ECQZDI-24-472
HistoryMay 19, 2024 - 12:00 a.m.

(Pwn2Own) QNAP TS-464 Netmgr Endpoint CRLF Injection Arbitrary Configuration Update Vulnerability

2024-05-1900:00:00
Team ECQ
www.zerodayinitiative.com
4
pwn2own
qnap ts-464
netmgr endpoint
crlf injection
arbitrary configuration update
vulnerability
remote attackers
localhost interface
legacy_cgi endpoints
lack of validation
user-supplied string
system configuration

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

6.6 Medium

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

28.8%

This vulnerability allows remote attackers to create arbitrary configurations on affected installations of QNAP TS-464 NAS devices. An attacker must first obtain the ability to access the device’s localhost interface, which can be accomplished using a malicious TURN server. The specific flaw exists within the legacy_cgi endpoints. The issue results from the lack of proper validation of a user-supplied string before using it to update configurations. An attacker can leverage this in conjunction with other vulnerabilities to create arbitrary configurations on the system.

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

6.6 Medium

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

28.8%

Related for ZDI-24-472