cbcvebase.
CVE-2017-13067
published 2017-09-14

CVE-2017-13067: QNAP has patched a remote code execution vulnerability affecting the QTS Media Library in all versions prior to QTS 4.2.6 build 20170905 and QTS 4.3.3.0299…

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.68%
96.6th percentile
QNAP has patched a remote code execution vulnerability affecting the QTS Media Library in all versions prior to QTS 4.2.6 build 20170905 and QTS 4.3.3.0299 build 20170901. This particular vulnerability allows a remote attacker to execute commands on a QNAP NAS using a transcoding service on port 9251. A remote user does not require any privileges to successfully execute an attack.

Affected

4 ranges
VendorProductVersion rangeFixed in
qnapqts4.2.0 – 4.2.6
qnapqts4.3.0 – 4.3.3.0299
qnapqts_media_libary_product
qnapqts_media_libary_product

Detection & IOCsextracted from sources · hover to see the quote

port9251
commandrmfile
  • Monitor for unauthenticated inbound connections to TCP port 9251 on QNAP NAS devices, which is the default listening port for the vulnerable transcoding service.
  • Inspect traffic to port 9251 for use of the 'rmfile' command, which is the specific command vector used for injection in this exploit.
  • No authentication is required to exploit this vulnerability; any connection from an external/untrusted source to port 9251 should be treated as suspicious.
  • ·Vulnerability affects all QTS versions prior to QTS 4.2.6 build 20170905 and QTS 4.3.3.0299 build 20170901; detections should be scoped to unpatched devices running older firmware.
  • ·The Metasploit module was validated against firmware version 4.3.3.0262 (20170727) on a QNAP TS-431; detections may need tuning for other hardware/firmware combinations.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.