9.1 CVE-2022-27593

CISA Kev Catalog Used by Malware Used by Ransomware

An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later
https://nvd.nist.gov/vuln/detail/CVE-2022-27593

Categories

CWE-610 : Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. An email client does not block loading of remote objects in a nested document. Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24) Cryptography API uses unsafe reflection when deserializing a private key Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (CWE-1289) to redirect to a malicious site (CWE-601) Recruiter software allows reading arbitrary files using XXE Database system allows attackers to bypass sandbox restrictions by using the Reflection API.

References

security@qnapsecurity.com.tw

https://www.qnap.com/en/security-advisory/qsa-22-24 Vendor Advisory

CPE

cpe	start	end
Configuration 1
AND
OR
cpe:2.3:o:qnap:qts:4.2.6:::::::*
OR
cpe:2.3:a:qnap:photo_station::::::::		< 5.2.14
Configuration 2
AND
OR
cpe:2.3:o:qnap:qts:4.3.3:::::::*
OR
cpe:2.3:a:qnap:photo_station::::::::		< 5.4.15
Configuration 3
AND
OR
cpe:2.3:o:qnap:qts:4.3.6:::::::*
OR
cpe:2.3:a:qnap:photo_station::::::::		< 5.7.18
Configuration 4
AND
OR
cpe:2.3:o:qnap:qts::::::::	>= 4.5.1	<= 4.5.4.2012
cpe:2.3:o:qnap:qts:5.0.0:::::::*
OR
cpe:2.3:a:qnap:photo_station::::::::		< 6.0.22
Configuration 5
AND
OR
cpe:2.3:o:qnap:qts:5.0.1:::::::*
OR
cpe:2.3:a:qnap:photo_station::::::::		< 6.1.2

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
219	XML Routing Detour Attacks An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information. [Survey the target] Using command line or an automated tool, an attacker records all instances of web services to process XML requests. [Identify SOAP messages that have multiple state processing.] Inspect instance to see whether the XML processing has multiple stages or not. [Launch an XML routing detour attack] The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message identified in the Explore phase. Thus, the attacker can route the XML message to the attacker controlled node (and access the message contents).	Medium

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee