CVE-2017-6360
published 2017-03-23CVE-2017-6360: QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and obtain sensitive information via unspecified vectors.
PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.15%
99.2th percentile
QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and obtain sensitive information via unspecified vectors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | qts | <= 4.2.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /cgi-bin/userConfig.cgi with a 'hash' parameter containing shell metacharacters (backticks, semicolons, pipe, redirection operators) indicative of command injection. ↗
- →Monitor HTTP GET requests to /cgi-bin/authLogin.cgi with a 'reboot_notice_msg' parameter; the parameter value is base64-encoded and should be decoded and inspected for the magic prefix 'QNAPVJBD' followed by a timestamp, 'Disconnect', and a payload containing shell metacharacters. ↗
- →Monitor HTTP GET requests to /cgi-bin/filemanager/utilRequest.cgi with func=cancel_trash_recovery and a 'pid' parameter containing shell metacharacters instead of a numeric PID. ↗
- →Alert on process execution of /sbin/cloud_util or /sbin/vdd_control spawned from a web server process (e.g., httpd/CGI), especially with arguments containing shell metacharacters. ↗
- ·CVE-2017-6360 specifically targets the 'hash' GET parameter in /cgi-bin/userConfig.cgi (func=cloudPersonalSmtp). Exploitation requires an authenticated session (valid 'sid' value), so unauthenticated access alone is not sufficient for this particular CVE. ↗
- ·The exploit was confirmed on QTS firmware versions 4.2.2 Build 20161214 and 4.2.3 Build 20170213; it is believed to affect all devices running QTS prior to the patch. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7fw6-hwmp-q9v4: QNAP QTS before 4
ghsa_unreviewed·2022-05-13
CVE-2017-6360 [CRITICAL] CWE-78 GHSA-7fw6-hwmp-q9v4: QNAP QTS before 4
QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and obtain sensitive information via unspecified vectors.
VulnCheck
QNAP QTS Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2017·CVSS 9.8
CVE-2017-6360 [CRITICAL] QNAP QTS Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
QNAP QTS Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and obtain sensitive information via unspecified vectors.
Affected: QNAP QTS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2017-6360
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/97059http://www.securityfocus.com/bid/97072http://www.securitytracker.com/id/1038091https://www.exploit-db.com/exploits/41842/https://www.qnap.com/en-us/releasenotes/https://www.qnap.com/en/support/con_show.php?cid=113http://www.securityfocus.com/bid/97059http://www.securityfocus.com/bid/97072http://www.securitytracker.com/id/1038091https://www.exploit-db.com/exploits/41842/https://www.qnap.com/en-us/releasenotes/https://www.qnap.com/en/support/con_show.php?cid=113
2017-03-23
Published
Exploited in the wild