Source: security@qnapsecurity.com.tw
A vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows an attacker to access sensitive information stored in cleartext inside cookies via certain widely-available tools. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.1.1456 build 20201015 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) QuTScloud c4.5.2.1379 build 20200730 (and later)
QNAP NAS devices are vulnerable to a critical information disclosure flaw. This vulnerability allows attackers to extract sensitive information, including user credentials, stored in cleartext within cookies, potentially leading to unauthorized access and data breaches. Immediate patching and security audits are crucial to mitigate this risk.
Step 1: Target Identification: The attacker identifies a vulnerable QNAP NAS device, potentially through network scanning or reconnaissance.
Step 2: Session Establishment: The attacker interacts with the QNAP NAS, triggering the creation of a session and the setting of cookies by the server.
Step 3: Cookie Interception: The attacker uses a tool (e.g., browser developer tools, Wireshark, Burp Suite) to intercept the HTTP traffic and examine the cookies being sent between the client and the server.
Step 4: Information Extraction: The attacker analyzes the cookies and extracts sensitive information stored in cleartext, such as session IDs, usernames, passwords, or other authentication tokens.
Step 5: Unauthorized Access: The attacker uses the extracted information to impersonate a legitimate user and gain unauthorized access to the QNAP NAS, potentially leading to data breaches or system compromise.
The vulnerability stems from the insecure storage of sensitive information, such as session tokens or user credentials, directly within HTTP cookies without proper encryption or protection. The affected QNAP NAS firmware fails to adequately sanitize or encrypt data before storing it in cookies. This allows attackers to leverage widely available tools, like browser developer tools or network sniffers (e.g., Wireshark), to intercept and read the cookies, thereby obtaining sensitive information. The root cause is likely a coding error or oversight in the session management logic, where the developers failed to implement secure cookie handling practices. This includes not using the Secure and HttpOnly flags, and failing to encrypt the cookie data. This lack of security allows for trivial information disclosure.
While no specific APTs are definitively linked to this CVE, the nature of the vulnerability makes it attractive to a wide range of attackers, including those seeking initial access or data exfiltration. This vulnerability could be leveraged by ransomware groups. CISA KEV status: Not listed.
Monitor network traffic for suspicious HTTP requests and responses, particularly those involving QNAP NAS devices.
Analyze HTTP cookies for cleartext sensitive information, such as usernames, passwords, or session tokens.
Implement intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and block malicious traffic.
Review server logs for unusual activity, such as multiple failed login attempts or unauthorized access attempts.
Use file integrity monitoring to detect changes to critical system files.
Immediately update QNAP NAS firmware to a patched version (QTS 4.5.1.1456 build 20201015 or later, QuTS hero h4.5.1.1472 build 20201031 or later, QuTScloud c4.5.2.1379 build 20200730 or later).
Enable the 'Secure' and 'HttpOnly' flags for all cookies to prevent access via JavaScript and ensure transmission over HTTPS.
Implement encryption for all sensitive data stored in cookies.
Regularly audit the QNAP NAS configuration for security vulnerabilities.
Enforce strong password policies and multi-factor authentication (MFA) for all user accounts.
Disable unnecessary services and features on the QNAP NAS.
Implement a web application firewall (WAF) to protect against common web attacks.
Conduct regular vulnerability scans and penetration testing to identify and address security weaknesses.