Taiwanese hardware vendor QNAP is warning customers to secure their Linux-powered network attached storage (NAS) devices against a very serious sudo privilege escalation vulnerability.
The defect (tracked as CVE-2023-22809) was discovered by Synacktiv security researchers, who describe as a “bypass of sudoers policy in sudo version 1.9.12p1 when using sudoedit”.
Successful exploitation on unpatched devices using sudo versions 1.8.0 through 1.9.12p1 could allow attackers to elevate privileges by modifying unauthorized files after adding arbitrary entries to the list of files to process.
The vulnerability also affects QTS, QuTS hero, QuTScloud and QVP (QVR Pro appliances) NAS operating systems, as QNAP disclosed in a security advisory released on Wednesday.
Although the company has fixed the flaw in the QTS and QuTS hero platforms, it is still working to provide QuTScloud and QVP security updates.
“Please check this security notice regularly for updates and promptly update your operating system to the latest recommended version as soon as it becomes available,” QNAP warned.
“To secure your device, we recommend that you regularly update your system to the latest version to benefit from vulnerability fixes.”
How to secure your QNAP NAS device
To update their QTS, QuTS hero or QuTScloud, customers need to click the “Check for Updates” option in the “Live Update” section after logging in as an admin user and being went to Control Panel > System > Firmware Update.
Alternatively, they can manually apply the firmware update after downloading it from QNAP Download Center after selecting the product type and model of their device.
QNAP’s advisory did not mark the CVE-2023-22809 vulnerability as being actively exploited in the wild.
However, due to the severity of the flaw, customers are advised to apply available security updates as soon as possible, as threat actors are known to actively target QNAP NAS security flaws.
Recent attacks targeting QNAP NAS devices include Deadbolt And eCh0raix ransomware campaigns who abuse vulnerabilities to encrypt data on devices exposed to the Internet.
Today, QNAP also announced that it is fixing several other security bugs affecting its products, including some found in OpenSSLSamba [1, 2]and its own operating systems (operable for remote command execution And disclosure of information).