CVE-2017-13067
published 2017-09-14CVE-2017-13067: QNAP has patched a remote code execution vulnerability affecting the QTS Media Library in all versions prior to QTS 4.2.6 build 20170905 and QTS 4.3.3.0299…
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.68%
96.6th percentile
QNAP has patched a remote code execution vulnerability affecting the QTS Media Library in all versions prior to QTS 4.2.6 build 20170905 and QTS 4.3.3.0299 build 20170901. This particular vulnerability allows a remote attacker to execute commands on a QNAP NAS using a transcoding service on port 9251. A remote user does not require any privileges to successfully execute an attack.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | qts | 4.2.0 – 4.2.6 | — |
| qnap | qts | 4.3.0 – 4.3.3.0299 | — |
| qnap | qts_media_libary_product | — | — |
| qnap | qts_media_libary_product | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated inbound connections to TCP port 9251 on QNAP NAS devices, which is the default listening port for the vulnerable transcoding service. ↗
- →Inspect traffic to port 9251 for use of the 'rmfile' command, which is the specific command vector used for injection in this exploit. ↗
- →No authentication is required to exploit this vulnerability; any connection from an external/untrusted source to port 9251 should be treated as suspicious. ↗
- ·Vulnerability affects all QTS versions prior to QTS 4.2.6 build 20170905 and QTS 4.3.3.0299 build 20170901; detections should be scoped to unpatched devices running older firmware. ↗
- ·The Metasploit module was validated against firmware version 4.3.3.0262 (20170727) on a QNAP TS-431; detections may need tuning for other hardware/firmware combinations. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-09-14
Published