JVNDB-2014-000126

QNAP QTS vulnerable to OS command injection

QNAP QTS is an operating system for Turbo NAS. QNAP QTS contains a flaw in the GNU Bash shell, which may result in an OS command injection vulnerability (CWE-78).

Yuuki Wakisaka of University of Electro-Communications reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

QNAP Systems

• QNAP QTS 4.1.1 Build 0927 and earlier

A malicious attacker may be able to execute arbitrary command at the privilege level of the calling application.

[Update the Firmware]
Update to the latest version of firmware according to the information provided by the developer.

QNAP Systems

• QNAP Systems, Inc. : NAS-201410-05: Protect Your Turbo NAS from Remote Attackers - Bash (Shellshock) Vulnerabilities

Apple Inc.

• Apple Mailing Lists : APPLE-SA-2015-09-30-3 OS X El Capitan 10.11
• Apple Security Updates : HT205267

Hitachi, Ltd

• Hitachi : bash_cve20146271 (in Japanese)
• Hitachi : bash_ha8500 (in Japanese)

1. OS Command Injection(CWE-78) [IPA Evaluation]

1. CVE-2014-7169
2. CVE-2014-6271
3. CVE-2014-6277
4. CVE-2014-6278
5. CVE-2014-7186
6. CVE-2014-7187

1. JVN : JVN#55667175
2. JVN : JVNVU#97219505 (in Japanese)
3. JVN : JVNVU#97220341
4. JVN iPedia : JVNDB-2014-004399 (in Japanese)
5. JVN iPedia : JVNDB-2014-004410 (in Japanese)
6. JVN iPedia : JVNDB-2014-004431 (in Japanese)
7. JVN iPedia : JVNDB-2014-004476 (in Japanese)
8. JVN iPedia : JVNDB-2014-004432 (in Japanese)
9. JVN iPedia : JVNDB-2014-004433 (in Japanese)
10. National Vulnerability Database (NVD) : CVE-2014-7169
11. National Vulnerability Database (NVD) : CVE-2014-6271
12. National Vulnerability Database (NVD) : CVE-2014-6277
13. National Vulnerability Database (NVD) : CVE-2014-6278
14. National Vulnerability Database (NVD) : CVE-2014-7186
15. National Vulnerability Database (NVD) : CVE-2014-7187
16. US-CERT Vulnerability Note : VU#252743 GNU Bash shell executes commands in environment variables
17. ICS-CERT ADVISORY : ICSA-15-344-01
18. ICS-CERT ADVISORY : ICSA-14-269-01A

• [2014/10/28]
    Web page was published
  [2014/10/30]
    Affected Products : Product version was modified
    Vendor Information : Content was modified
    CVE : CVE-IDs were added
    References : Contents were added
  [2015/10/06]
    Vendor Information : Content was modified
    References : Content was added
  [2015/12/22]
    References : Content was added
  [2015/12/25]
    Vendor Information : Contents were added
• [2024/07/18]
    References : Content was added