ESB-2023.7668 – [Appliance] QNAP VioStor NVR: CVSS (Max): 8.0

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2023.7668
ICS Advisory | ICSA-23-355-02 QNAP VioStor NVR
22 December 2023

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: QNAP VioStor NVR
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2023-47565

Original Bulletin:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-355-02

Comment: CVSS (Max): 8.0 CVE-2023-47565 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The following are listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog:
CISA KEV CVE(s): CVE-2023-47565
CISA KEV URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

– ————————–BEGIN INCLUDED TEXT——————–

ICS Advisory (ICSA-23-355-02)

QNAP VioStor NVR

Release Date
December 21, 2023

1. EXECUTIVE SUMMARY

o CVSS v3 8.0
o ATTENTION : Exploitable remotely/low attack complexity/public exploits are
available/known public exploitation
o Vendor : QNAP
o Equipment : VioStor NVR
o Vulnerability : OS Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to
achieve remote code execution by exploiting NTP settings.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of QNAP VioStor NVR, are affected:

o VioStor NVR QVR firmware: All versions prior to 4.x

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS
COMMAND INJECTION’) CWE-78

QNAP VioStor NVR versions prior to QVR Firmware 4.x are vulnerable to an OS
command injection vulnerability that may allow an attacker to modify NTP
settings in the device. This could result in remote code execution.

CVE-2023-47565 has been assigned to this vulnerability. A CVSS v3.1 base score
of 8.0 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:L/UI:N/S:U
/C:H/I:H/A:H ).

3.3 BACKGROUND

o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Chad Seaman and Larry Cashdollar of Akamai Technologies reported this
vulnerability to CISA.

4. MITIGATIONS

QNAP has provided that users should download and apply the latest QVR Firmware
.

QNAP has stated that QVR Firmware 5.x and 4.x are both end of life.

For more information, see QNAP’s security advisory .

For more information, contact QNAP Support .

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability, such as:

o Minimize network exposure for all control system devices and/or systems,
ensuring they are not accessible from the internet .
o Locate control system networks and remote devices behind firewalls and
isolating them from business networks.
o When remote access is required, use more secure methods, such as Virtual
Private Networks (VPNs), recognizing VPNs may have vulnerabilities and
should be updated to the most current version available. Also recognize VPN
is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .

CISA encourages organizations to implement recommended cybersecurity strategies
for proactive defense of ICS assets .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.

CISA has received reports of this vulnerability being actively exploited.

This advisory contains a vulnerability that has an associated “Known Exploited
Vulnerabilities” (KEV) entry. Refer to the following link to view the KEV
entry: Known Exploited Vulnerabilities Catalog | CISA

5. UPDATE HISTORY

o December 21, 2023: Initial Publication

This product is provided subject to this Notification and this Privacy & Use
policy.

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZYTT8skNZI30y1K9AQiz3w/+NrVu5KTZlAd21k0uvK81Oo8VdIUaPt/y
WUCOgEKyJUtzNiOtxU7upz1O9lc59CSO1wmsts+aLPdeoRrtO2404zwprC3aLSYM
fwUqhSVHNlI95dyxtlPMNv0e0QXcv/EUXeNMuO+SlqM5dwuKzr47cSgzYXq628aI
lmAKHF8EarKb8dYpQyqYkTAOHhlH8lKe2Ysro0b+IINaojgFjmPGKdt3fuYhEvcB
53K1kR/QdpsVwwk9uWZtOmIDrm66E/IHI+lfkpuJNI14TonLN5FiqtafSySEOJqY
Aqr2wVbbXfHoyUHn95kdv0FBruTK/vncA/Hx9/Px7x3idn9w7Rrh4aDBAxB+IeZN
WT7p2QU7xUIGtGWV/GeLhjW9pe0CG4L+3g7k5LRSKqDLsyNKCgN6s5f+w0V0BWUp
y3T0w5QEMb6kqGx6pt8y1LM0JnDu1kHRH9xmyv4vQlPg+yFwOYwjFP6DBjIN4Moz
95riohnPL6u6t0nos0vqtLJ2AWb5Yvto+yQqg4xMnUX0PZKbXj8oiHbGVPVCbXQs
CaS7ZeO2Irjtj8A2IoIUShi/V4cPm35h5khDmocc+d3xFdAYX7LAcw1x1iVjx7W5
oTl+Bq64lmugmgIfeuMmNBAwa8PqQDo07FtUEiPPxdU5CUx4VB8KqI1BITGVzQPg
BqeECRvyjiA=
=TqCr
—–END PGP SIGNATURE—–Security BulletinsRead More