CVE-2023-47218
published 2024-02-13CVE-2023-47218: An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to…
PriorityP188high8.3CVSS 3.1
AVNACLPRNUINSCCLILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.16%
99.8th percentile
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.5.2645 build 20240116 and later
QuTS hero h5.1.5.2647 build 20240118 and later
QuTScloud c5.1.5.2651 and later
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | qts | — | — |
| qnap | qts | >= 5.1.0 < 5.1.5.2645 | 5.1.5.2645 |
| qnap | quts_hero | — | — |
| qnap | quts_hero | >= h5.1.0 < h5.1.5.2647 | h5.1.5.2647 |
| qnap | qutscloud | >= c5.0.0.1919 < c5.1.5.2651 | c5.1.5.2651 |
| qnap_systems_inc | qts | >= 5.1.x < 5.1.5.2645 build 20240116 | 5.1.5.2645 build 20240116 |
| qnap_systems_inc | quts_hero | >= h5.1.x < h5.1.5.2647 build 20240118 | h5.1.5.2647 build 20240118 |
| qnap_systems_inc | qutscloud | >= c5.x < c5.1.5.2651 | c5.1.5.2651 |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image
command%22$($(echo -n aWQ=|base64 -d)>{{file}})%22
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS QNAP quick.cgi uploaf_firmware_image Command Injection Attempt (CVE-2023-47218)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image"; fast_pattern; http.user_agent; content:"Mozilla"; content:"Macintosh"; http.request_body; content:"|3d 22|%22"; content:"|22|"; within:200; reference:url,www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/; reference:cve,2023-47218; classtype:trojan-activity; sid:2050811; rev:1; metadata:affected_product QNAP, attack_target Networking_Equipment, created_at 2024_02_13, cve CVE_2023_47218, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_02_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →The vulnerable endpoint `quick.cgi` is only active on UNINITIALIZED QNAP NAS devices. Once a device is provisioned/initialized, the component is disabled. Detections should focus on devices that have not yet been set up. ↗
- →Exploit POST requests to `/cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image` use a multipart/form-data body with command injection payloads embedded in Content-Disposition field values (not standard field names). Look for `|3d 22|%22` and `|22|` byte patterns in the request body within 200 bytes of each other.
- →Successful exploitation results in a first response containing `code": 200` and `full_path_filename success`, followed by a second request to the dropped file path that returns output containing `uid=` and `gid=` (confirming command execution as a system user).
- →The Snort/ET rule (SID 2050811) also requires User-Agent to contain both `Mozilla` and `Macintosh` strings, which may be characteristic of known exploit tooling for this CVE.
- ·The vulnerability only affects uninitialized QNAP NAS devices. Perimeter detection should be scoped accordingly; initialized devices are not exposed to this attack vector. ↗
CVSS provenance
nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
vulncheck5.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j269-5p85-wxpq: An OS command injection vulnerability has been reported to affect several QNAP operating system versions
ghsa_unreviewed·2024-02-13
CVE-2023-47218 [MEDIUM] CWE-77 GHSA-j269-5p85-wxpq: An OS command injection vulnerability has been reported to affect several QNAP operating system versions
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.5.2645 build 20240116 and later
QuTS hero h5.1.5.2647 build 20240118 and later
QuTScloud c5.1.5.2651 and later
VulnCheck
QNAP QTS and QuTS Command Injection Vulnerability
vulncheck·2023·CVSS 5.8
CVE-2023-47218 [MEDIUM] QNAP QTS and QuTS Command Injection Vulnerability
QNAP QTS and QuTS Command Injection Vulnerability
QNAP NAS quick.cgi command injection vulnerability in QTS and QuTS hero
Affected: QTS, QuTS hero, and QuTScloud QNAP
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-16&host_type=src&vulnerability=cve-2023-47218; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-18&host_type=src&vulnerability=cve-2023-47218; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-19&host_type=src&vulnerability=cve-2023-47218; https://dashboard.shadowserver.org/statistics/hon
Suricata
ET WEB_SPECIFIC_APPS QNAP quick.cgi uploaf_firmware_image Command Injection Attempt (CVE-2023-47218)
suricata·2024-02-13·CVSS 5.8
CVE-2023-47218 [MEDIUM] ET WEB_SPECIFIC_APPS QNAP quick.cgi uploaf_firmware_image Command Injection Attempt (CVE-2023-47218)
ET WEB_SPECIFIC_APPS QNAP quick.cgi uploaf_firmware_image Command Injection Attempt (CVE-2023-47218)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS QNAP quick.cgi uploaf_firmware_image Command Injection Attempt (CVE-2023-47218)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image"; fast_pattern; http.user_agent; content:"Mozilla"; content:"Macintosh"; http.request_body; content:"|3d 22|%22"; content:"|22|"; within:200; reference:url,www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/; reference:cve,2023-47218; classtype:trojan-activity; sid:2050811; rev:1; metadata:affected_product QNAP, attack_target Net
Metasploit
QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi
metasploit
QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi
QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi
There exists an unauthenticated command injection vulnerability in the QNAP operating system known as QTS and QuTS hero. QTS is a core part of the firmware for numerous QNAP entry and mid-level Network Attached Storage (NAS) devices, and QuTS hero is a core part of the firmware for numerous QNAP high-end and enterprise NAS devices. The vulnerable endpoint is the quick.cgi component, exposed by the device's web based administration feature. The quick.cgi component is present in an uninitialized QNAP NAS device. This component is intended to be used during either manual or cloud based provisioning of a QNAP NAS device. Once a device has been successfully initialized, the quick.cgi component is disabled on the system.
Nuclei
QNAP QTS and QuTS Hero - OS Command Injection
nuclei·CVSS 8.3
CVE-2023-47218 [HIGH] QNAP QTS and QuTS Hero - OS Command Injection
QNAP QTS and QuTS Hero - OS Command Injection
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later.
Template:
id: CVE-2023-47218
info:
name: QNAP QTS and QuTS Hero - OS Command Injection
author: ritikchaddha
severity: medium
description: |
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability i
https://www.qnap.com/en/security-advisory/qsa-23-57https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/https://www.qnap.com/en/security-advisory/qsa-23-57https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/
2024-02-13
Published
Exploited in the wild