Cloud related Bugs found in QNAP Q'Center web console
Researchers found high severity vulnerabilities in network storage vendor QNAP's web console, which could enable an authenticated hacker to gain privileges and execute arbitrary commands on the system. QNAP stated in a security advisory that it has fixed the issues in Q'Center Virtual Appliance, and highly recommends that customers update to the latest version.
The web based platform, Q'center, allows users to manage network attached storage across multiple sites. Q'center version 1.6.1056 and Q'center version 1.6.1075 are vulnerable. Multiple vulnerabilities were found in the QCenter web console that would allow a hacker to execute arbitrary commands on the system. QNAP's QCenter web console includes a functionality that would allow an authenticated attacker to elevate privileges on the system. QNAP stated in a security advisory that it has fixed the issues in Q'center Virtual Appliance version 1.7.1083 and later, and urged customers to update to the latest version. Researchers discovered five vulnerabilities, including an information exposure issue in an API endpoint of the web application that allows privilege escalation and four command-injection issues in different admin functions and setting configurations.
Researchers found the privilege escalation flaw ( CVE-2018-0706 ) in the application's API endpoint, which functions to return information about the accounts defined in the database. An authenticated user can access that endpoint and view the information that is being returned. They can see an extra field that's labeled "new_password" that contains the password for the administrator, encoded in base64. Any authenticated user could access this API endpoint and retrieve the admin user's password and be able to login as an administrator. Four command execution flaws could enable a hacker to inject commands in the password input. One of the command execution vulnerabilities ( CVE-2018-0707 ), enables hackers to modify the "change password" function for the administrative user.busier. When the admin user executes a password change, the application executes an OS command to make the changes. Due to the flaw, the input is not properly sanitized when passed down to the OS, allowing a hacker to run arbitrary commands.
The API requires to send the password encoded in base64. This makes a lot easier to inject command since we don't need to bypass any filters. For the admin user in the web application, there is also a backing user present on the OS. Once a hacker obtains the OS password from the privilege escalation vulnerability, they can modify the network configuration. Beyond that, there are multiple flaws in the web console could also enable users with "Power User" profile able to execute various functions, despite not having access in the web application interface. This profile is also capable of modifying the SSH configuration via a command execution bug ( CVE-2018-0710 ) in SSH settings configuration update and the network configuration ( CVE-2018-0708 ) as well as modifying the date configuration ( CVE-2018-0709 ).
Core Security first notified QNAP about the flaws March 13, which also included a draft advisory. Researchers stated other products and versions might be affected, but weren't tested. To update Q'Center Virtual Appliance, customers can go to qnap.com/utilities on their web browser, and download the Q'Center Virtual Appliance Patch.