Contents:
QNAP Systems, Inc., a Taiwanese corporation that specializes in Network-attached storage (NAS) appliances has fixed two critical-severity vulnerabilities affecting its QVR Video surveillance solution. When abused, these issues could perform arbitrary commands.
What Is QVR?
As advertised by QNAP, the QVR Pro Appliance is a SMB-grade, tower-based network surveillance server that supports high-quality real-time video/audio monitoring, megapixel recording, and playback from multiple IP cameras in order to protect your valuable possessions.
Yesterday, the Taiwan-based company announced that it had patched up three command injection flaws impacting its QVR software for managing video monitoring. According to BleepingComputer, two out of three received a critical severity score of 9.8 out of 10.
The two vulnerabilities are tracked as CVE-2021-34351 and CVE-2021-34348, and according to experts, when exploited could enable a remote cybercriminal to perform commands on exposed systems. This way, an attacker could gain complete control of the device.
QNAP Fixes Another Vulnerability
CVE-2021-34349 is another security vulnerability from the same class that QNAP has also patched up. The third flaw they fixed has a lower severity score than the first two, with a 7.2 out of 10.
As mentioned by BleepingComputer, in order to exploit the critical vulnerabilities there is no need for privileges, while a threat actor exploiting the high-severity bug requires high privileges.
According to QNAP, the pair of critical issues impacts some products running QVR that have reached the final stages of a product’s existence, or End of Life (EoL).
Lots of users would probably continue to utilize devices that are no longer supported, leading the organization to release a software update (QVR 5.1.5 build 20210803).
Two command injection vulnerabilities have been reported to affect certain QNAP EOL devices running QVR. If exploited, these vulnerabilities allow remote attackers to run arbitrary commands.
We don’t know yet if these vulnerabilities have been exploited but it might be attractive for cybercriminals to do so as all sorts of companies use these devices for video monitoring.
In April, an ongoing massive Qlocker ransomware campaign targeting QNAP devices around the world started storing users’ files in password-protected 7zip archives.
All victims were told to pay 0.01 Bitcoins ($557.74), to get a password for their archived files.
Security researchers believe that the Qlocker ransomware threat actor gained approximately $260.000 in less than a week from the money their victims paid as ransom to restore their files.