QNAP, a provider of network-attached storage (NAS), has released a patch for its QVR video management system, which addresses two critical-severity flaws that may be exploited to execute arbitrary code.
When used with compatible IP cameras, QNAP’s QVR software is a professional solution that enables real-time video monitoring, recording, playback, and alert notifications.
QNAP stated today that it had patched three command injection vulnerabilities in its QVR video surveillance software, two of which had a critical severity rating of 9.8 out of ten.
The combination of serious flaws, identified as CVE-2021-34351 and CVE-2021-34348, may allow a remote attacker to perform commands on susceptible computers, potentially allowing them to take complete control of the device.
Aside from these two security flaws, QNAP has patched another one, CVE-2021-34349. It’s in the same class as the previous one but with a lower severity level of 7.2 out of 10.
The difference in severity is related to the privileges necessary to exploit the bugs: none are required for the critical ones, but an attacker using a high-severity flaw requires high privileges.
The two significant vulnerabilities, according to QNAP, impact some QVR devices that have reached end-of-life (EoL). Many consumers are likely still using the devices even though they are no longer supported, forcing the firm to make a software upgrade (QVR 5.1.5 build 20210803).
It’s unclear whether any of the flaws have been exploited. Threat actors may be enticed to attack these vulnerabilities if the devices are utilized for video surveillance by organizations of various sizes (enterprise, SOHO, SMB).
Earlier this year, a cybercriminal gang exploited a flaw (hardcoded credentials) in QNAP NAS devices to encrypt files using the 7-Zip archive software in a campaign known as Qlocker ransomware.
Victims, primarily consumers and small-to-medium-sized business owners, were offered file recovery for $500, a relatively low fee that many were willing to pay. The developers of the Qlocker ransomware are said to have made at least $260,000 in ransoms from its victims in only five days.