Vulnerability Note VU#751328
QNAP QTS is vulnerable to a path traversal attack when used with the AFP protocol and OS X
Original Release date: 12 Oct 2015 | Last revised: 13 Oct 2015

Overview
QNAP QTS is a Network-Attached Storage (NAS) system. The QNAP QTS is vulnerable to a path traversal attack when used with the AFP protocol and OS X.

Description
CWE-23: Relative Path Traversal – CVE-2015-6003

When the Apple Filing Protocol (AFP) is enabled, any OS X user account (including the unauthenticated guest account) may be able to read and write arbitrary files on the QNAP QTS device.

According to documentation, AFP is disabled by default on the device, so only users specifically enabling this service are impacted.

According to the reporter, the TS-420 with firmware version prior to 4.1.4 Build 0910 is vulnerable. It is likely that all devices running firmware version 4.1.4 are affected; previous firmware versions may also be affected.

For more information, please see QNAP’s security advisory.

Impact
An unauthenticated remote user may be able to read and write arbitrary files on the device.

Solution
Update the firmware

QNAP has released firmware version QTS 4.1.4 Build 0910 and QTS 4.2.0 Build 0910(RC2) to address this issue. Affected users are encouraged to update as soon as possible.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedQNAPAffected28 Aug 201513 Oct 2015If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
6.6
AV:L/AC:L/Au:N/C:C/I:C/A:N

Temporal
5.2
E:POC/RL:OF/RC:C

Environmental
3.9
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

https://www.qnap.com/i/en/support/con_show.php?cid=85
https://www.qnap.com/i/uk/product_x_down/index.php
http://www.qnap.com/event/qts-4.2/public-beta/en-uk/
https://developer.apple.com/library/mac/documentation/Networking/Conceptual/AFP/Introduction/Introduction.html
http://docs.qnap.com/nas/4.0/en/index.html?win_mac_nfs.htm

Credit

Thanks to Marcin Ochab for reporting this vulnerability.
This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2015-6003

Date Public:
12 Oct 2015

Date First Published:
12 Oct 2015

Date Last Updated:
13 Oct 2015

Document Revision:
35

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply