ID CVE-2017-13067
Summary QNAP has patched a remote code execution vulnerability affecting the QTS Media Library in all versions prior to QTS 4.2.6 build 20170905 and QTS 4.3.3.0299 build 20170901. This particular vulnerability allows a remote attacker to execute commands on a QNAP NAS using a transcoding service on port 9251. A remote user does not require any privileges to successfully execute an attack.
References
Vulnerable Configurations
  • cpe:2.3:o:qnap:qts:4.2.0:-:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.2.0:-:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.2.0:rc1:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.2.0:rc1:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.2.2:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.2.3:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.2.3:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.2.4:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.2.4:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.2.6:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.2.6:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.1.0013:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.1.0013:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.1.0023:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.1.0023:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.2.0050:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.2.0050:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.2.0060:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.2.0060:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.2.0144:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.2.0144:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.3:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.3:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.3.0095:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.3.0095:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.3.0096:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.3.0096:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.3.0136:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.3.0136:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.3.0154:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.3.0154:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.3.0188:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.3.0188:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.3.0210:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.3.0210:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.3.0229:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.3.0229:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.3.0238:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.3.0238:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.3.0262:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.3.0262:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.3.3.0299:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.3.3.0299:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
refmap via4
confirm https://www.qnap.com/zh-hk/releasenotes/
Last major update 03-10-2019 - 00:03
Published 14-09-2017 - 15:29
Last modified 03-10-2019 - 00:03
Back to Top