{"vuid":"VU#927644","idnumber":"927644","name":"QNAP VioStor NVR firmware version 4.0.3 and QNAP NAS multiple vulnerabilities","keywords":["viostor","nvr","pingping","cgi","csrf","cwe-77","cwe-352","cwe-284","nas"],"overview":"QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS contains multiple vulnerabilities which may allow an attacker to perform administrative functions against the hosted server.","clean_desc":"QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains multiple vulnerabilities which may allow an attacker to perform administrative functions against the hosted server. CWE-284: Improper Access Control CVE-2013-0142\nVioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains a hardcoded guest account and password which can be leveraged to login to the webserver. It has been reported that it is not possible to view or administer the guest account using the web interface. CWE-77: Improper Neutralization of Special Elements used in a Command CVE-2013-0143\nVioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains scripts which could allow any user e.g. guest users to execute scripts which run with administrative privileges. It is possible to execute code on the webserver using the ping function. Example: http://[server-ip]/cgi-bin/pingping.cgi?ping_ip=1;whoami CWE-352: Cross-Site Request Forgery (CSRF). CVE-2013-0144\nVioStor NVR firmware version 4.0.3 and possibly earlier versions contains a cross-site request forgery vulnerability could allow an attacker to add a new administrative account to the server by tricking an administrator to click on a malicious link while they are currently logged into the webserver. Example: http://[server-ip]/cgi-bin/create_user.cgi?OK=&function=USER&subfun=NEW&USERNAME=&NAME=attacker&PASSWD=12345&VERIFY=12345&create_user_list=admin&PTZ1=on&Audio1=on&PTZ2=on&Audio2=on&PTZ3=on&Audio3=on&PTZ4=on&Audio4=on The CVSS scores below apply to CVE-2013-0143.","impact":"An authenticated (via known credentials or hardcoded guest account) attacker may be able to execute arbitrary commands or add administrative accounts to the server.","resolution":"Update\nQNAP has released firmware updates to address these vulnerabilities: QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions users are advised to upgrade to QNAP VioStor NVR system firmware version 4.0.3 build 6612. QNAP NAS with the Surveillance Station Pro activated are advised to upgrade to QNAP Surveillance Station Pro to v3.0.2 or higher.","workarounds":"Restrict Network Access As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from connecting to the service from a blocked network location.","sysaffected":"","thanks":"Thanks to Tim Herres and David Elze of Daimler TSS for reporting this vulnerability.","author":"This document was written by Michael Orlando.","public":["http://www.qnapsecurity.com/AboutQNAP.asp","http://cwe.mitre.org/data/definitions/77.html","http://cwe.mitre.org/data/definitions/352.html","http://cwe.mitre.org/data/definitions/284.html","http://www.qnap.com/en/index.php?lang=en&sn=845&c=2699&sc=&n=18922","http://www.qnap.com/en/index.php?lang=en&sn=845&c=2699&sc=&n=18925"],"cveids":["CVE-2013-0142","CVE-2013-0143","CVE-2013-0144"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-03-28T17:28:02Z","publicdate":"2013-06-05T00:00:00Z","datefirstpublished":"2013-06-05T17:16:50Z","dateupdated":"2014-07-30T16:28:05Z","revision":33,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"ND","cvss_reportconfidence":"UC","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"7.7","cvss_environmentalscore":"1.9114471152","cvss_environmentalvector":"CDP:ND/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}