The security fix for QNAP Surveillance Station Pro (specifically tracked under QNAP Security Advisory NAS-201306-01) patches several critical vulnerabilities that allowed remote attackers to hijack network video recorders (NVRs) and connected IP cameras. Left unpatched, these flaws let unauthorized users execute malicious code with root-level system administrative privileges. The Security Vulnerabilities Explained
The advisory addresses three highly dangerous common vulnerabilities and exposures (CVEs) found within older versions of the app:
Hardcoded Guest Account (CVE-2013-0142): The application contained a hardcoded guest username and password built into the webserver code. Attackers could leverage these static credentials to easily log in remotely without your knowledge.
Remote Code Execution via Ping Script (CVE-2013-0143): The app utilized a background script (such as pingping.cgi) to test camera connectivity. Because this script lacked input sanitization, any user (including the hidden guest account) could inject system commands into the “ping” utility to take full operational control of the QNAP Turbo NAS.
Cross-Site Request Forgery (CVE-2013-0144): A CSRF flaw allowed attackers to create a secret, unauthorized administrator account. This was achieved simply by tricking a logged-in NAS owner into clicking a malicious web link. Affected Software Versions
The vulnerabilities strictly affect legacy environments running older firmware setups:
QTS 3.8 Firmware: Running Surveillance Station Pro versions v2.0 through v2.5.
QTS 4.0 Firmware: Running Surveillance Station Pro versions v3.0.0 through v3.0.2. How to Fix and Secure Your Setup
Qnap NAS, Surveillance Station, Setup & Security | IP Cam Talk
Leave a Reply