QNAP QTS vulnerable to OS command injection


QNAP QTS is an operating system for Turbo NAS. QNAP QTS contains a flaw in the GNU Bash shell, which may result in an OS command injection vulnerability (CWE-78).

Yuuki Wakisaka of University of Electro-Communications reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 10.0 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products

QNAP Systems
  • QNAP QTS 4.1.1 Build 0927 and earlier


A malicious attacker may be able to execute arbitrary command at the privilege level of the calling application.

[Update the Firmware]
Update to the latest version of firmware according to the information provided by the developer.
Vendor Information

QNAP Systems Apple Inc. Hitachi, Ltd
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-7169
  2. CVE-2014-6271
  3. CVE-2014-6277
  4. CVE-2014-6278
  5. CVE-2014-7186
  6. CVE-2014-7187

  1. JVN : JVN#55667175
  2. JVN : JVNVU#97219505 (in Japanese)
  3. JVN : JVNVU#97220341
  4. JVN iPedia : JVNDB-2014-004399 (in Japanese)
  5. JVN iPedia : JVNDB-2014-004410 (in Japanese)
  6. JVN iPedia : JVNDB-2014-004431 (in Japanese)
  7. JVN iPedia : JVNDB-2014-004476 (in Japanese)
  8. JVN iPedia : JVNDB-2014-004432 (in Japanese)
  9. JVN iPedia : JVNDB-2014-004433 (in Japanese)
  10. National Vulnerability Database (NVD) : CVE-2014-7169
  11. National Vulnerability Database (NVD) : CVE-2014-6271
  12. National Vulnerability Database (NVD) : CVE-2014-6277
  13. National Vulnerability Database (NVD) : CVE-2014-6278
  14. National Vulnerability Database (NVD) : CVE-2014-7186
  15. National Vulnerability Database (NVD) : CVE-2014-7187
  16. US-CERT Vulnerability Note : VU#252743 GNU Bash shell executes commands in environment variables
  17. ICS-CERT ADVISORY : ICSA-15-344-01
Revision History

  • [2014/10/28]
      Web page was published
      Affected Products : Product version was modified
      Vendor Information : Content was modified
      CVE : CVE-IDs were added
      References : Contents were added
      Vendor Information : Content was modified
      References : Content was added
      References : Content was added
      Vendor Information : Contents were added