CERTVU:751328QNAP QTS is vulnerable to a path traversal attack when used with the AFP protocol and OS X
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
79.6%
Overview
QNAP QTS is a Network-Attached Storage (NAS) system. The QNAP QTS is vulnerable to a path traversal attack when used with the AFP protocol and OS X.
Description
CWE-23: Relative Path Traversal - CVE-2015-6003
When the Apple Filing Protocol (AFP) is enabled, any OS X user account (including the unauthenticated guest account) may be able to read and write arbitrary files on the QNAP QTS device.
According to documentation, AFP is disabled by default on the device, so only users specifically enabling this service are impacted.
According to the reporter, the TS-420 with firmware version prior to 4.1.4 Build 0910 is vulnerable. It is likely that all devices running firmware version 4.1.4 are affected; previous firmware versions may also be affected.
For more information, please see QNAP’s security advisory.
Impact
An unauthenticated remote user may be able to read and write arbitrary files on the device.
Solution
Update the firmware
QNAP has released firmware version QTS 4.1.4 Build 0910 and QTS 4.2.0 Build 0910(RC2) to address this issue. Affected users are encouraged to update as soon as possible.
Vendor Information
751328
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
QNAP Affected
Notified: August 28, 2015 Updated: October 13, 2015
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 6.6 | AV:L/AC:L/Au:N/C:C/I:C/A:N |
| Temporal | 5.2 | E:POC/RL:OF/RC:C |
| Environmental | 3.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- <https://www.qnap.com/i/en/support/con_show.php?cid=85>
- <https://www.qnap.com/i/uk/product_x_down/index.php>
- <http://www.qnap.com/event/qts-4.2/public-beta/en-uk/>
- <https://developer.apple.com/library/mac/documentation/Networking/Conceptual/AFP/Introduction/Introduction.html>
- <http://docs.qnap.com/nas/4.0/en/index.html?win_mac_nfs.htm>
Acknowledgements
Thanks to Marcin Ochab for reporting this vulnerability.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | CVE-2015-6003 |
|---|---|
| Date Public: | 2015-10-12 Date First Published: |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
79.6%