QNAP QTS vulnerable to OS command injection


QNAP QTS is an operating system for Turbo NAS. QNAP QTS contains a flaw in the GNU Bash shell, which may result in an OS command injection vulnerability (CWE-78).

Yuuki Wakisaka of University of Electro-Communications reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 10.0 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete

Affected Products

QNAP Systems
  • QNAP QTS 4.1.1 Build 0927 and earlier


A malicious attacker may be able to execute arbitrary command at the privilege level of the calling application.

[Update the Firmware]
Update to the latest version of firmware according to the information provided by the developer.
Vendor Information

QNAP Systems Apple Inc. Hitachi, Ltd
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-7169
  2. CVE-2014-6271
  3. CVE-2014-6277
  4. CVE-2014-6278
  5. CVE-2014-7186
  6. CVE-2014-7187

  1. JVN : JVN#55667175
  2. JVN : JVNVU#97219505 (in Japanese)
  3. JVN : JVNVU#97220341
  4. JVN iPedia : JVNDB-2014-004399 (in Japanese)
  5. JVN iPedia : JVNDB-2014-004410 (in Japanese)
  6. JVN iPedia : JVNDB-2014-004431 (in Japanese)
  7. JVN iPedia : JVNDB-2014-004476 (in Japanese)
  8. JVN iPedia : JVNDB-2014-004432 (in Japanese)
  9. JVN iPedia : JVNDB-2014-004433 (in Japanese)
  10. National Vulnerability Database (NVD) : CVE-2014-7169
  11. National Vulnerability Database (NVD) : CVE-2014-6271
  12. National Vulnerability Database (NVD) : CVE-2014-6277
  13. National Vulnerability Database (NVD) : CVE-2014-6278
  14. National Vulnerability Database (NVD) : CVE-2014-7186
  15. National Vulnerability Database (NVD) : CVE-2014-7187
  16. US-CERT Vulnerability Note : VU#252743 GNU Bash shell executes commands in environment variables
  17. ICS-CERT ADVISORY : ICSA-15-344-01
Revision History

  Web page was published
  Affected Products : Product version was modified
  Vendor Information : Content was modified
  CVE : CVE-IDs were added
  References : Contents were added
  Vendor Information : Content was modified
  References : Content was added
  References : Content was added
  Vendor Information : Contents were added