CVE-2022-27596: The Next Ransomware Target?

UPDATE Feb 3rd, 2023

• Today, QNAP has updated its advisory to correct the affected products. This update now states the following: “QTS 5.0.0, QTS 4.x.x, QuTS hero 5.0.0 and QuTS hero 4.5.x are not affected.” — this update drastically changes the outcomes of this report, as most of the devices we observed were running version 5.0.0 and version 4.3.3, both of which have now been made clear and are not vulnerable to this attack.
• This post initially used the NVD advisory via NIST and the JSON-encoded attachment from QNAP as a source of truth, which contained details about the affected versions that explicitly stated versions less than “h5.0.1.2248 build 20221215” and less than “5.0.1.2234 build 20221201” were affected. With this new wording from QNAP, the exposure is less extreme. It narrows down the number of affected versions to a tiny number.
• The official NIST NVD CVE has yet to be updated with this new information; as of February 3rd, 2023, it is still showing the incorrect software configurations:
• We are working on processing this new data and will continue to update this post.

Data as of February 3rd, 2023

On January 30th, 2023, information emerged about a new vulnerability that targets QNAP devices. Although there is little information about the vulnerability details, we know that it affects QNAP QTS devices running versions 5.0.1, up to, but not including 5.0.1.2234, and QuTS Hero versions “h5.0.1”, up to, but not including “h5.0.1.2248” and was fixed with QTS version 5.0.1.2234 and QuTS Hero h5.0.1.2248. This is currently tracked as CVE-2022-27596.

Note: as of February 03, 2022, NVD is still reporting the wrong software configuration values for vulnerable versions of this firmware.

We also know that if the exploitation is successful, an attacker can “inject malicious code”; QNAP has deemed this a critical vulnerability with a low attack complexity, no authentication required, and it can be exploited remotely. We also know that the Common Weakness Enumerator (CWE) it was assigned is “CWE-89”: Improper Neutralization of Special Elements used in an SQL Command (or SQL injection).

Now that the majority of the original data for this post is outdated, given the updates to the advisory, we have created a more general outline of QNAP devices and their versions we have observed on the internet. With this update from QNAP, we learned that only QTS version 5.0.1 and QuTS Hero version h5.0.1 are affected. The good news is that no hosts are exposed on the internet running these firmware versions.

Our latest data shows that 61,597 hosts are running a QNAP device, and we successfully obtained the running firmware version from 32,765 of those.

Top 10 Countries Running QNAP

Country QNAP Host Count Italy 3,500 United States 3,264 Germany 2,444 Taiwan 2,352 Japan 1,749 France 1,586 Hong Kong 1,444 South Korea 1,317 United Kingdom 1,228 China 1,087

Top 10 Autonomous Systems

Autonomous System QNAP Host Count HINET Data Communication 1,771 DTAG Internet 1,285 ASN-IBSNAZ 1,188 COMCAST-7922 884 KIXS-AS-KR 740 VODAFONE-IT-ASN 660 HKTIMS-AP HKT Limited 581 TNF-AS 555 France Telecom – Orange 554 CHINANET-BACKBONE No.31 552

Top 10 QNAP Firmware Versions

QNAP Firmware Version Host Count 5.0.0 7,882 4.3.3 7,566 4.3.6 5,172 4.3.4 4,529 4.2.6 1,632 4.5.2 957 4.5.1 869 4.4.3 773 4.4.1 746 4.3.5 732

What we know:

• It is a SQL injection vulnerability
• Trivial to exploit
• It does not require authentication

We’ve discussed problems with QNAP regarding the Deadbolt Ransomware campaigns, which at their height had infected over 20,000 devices and successfully stolen just under $200,000 from victims. And while there are no indications that bad actors are using this new exploit, the threat is definitely on the horizon.

Given that the Deadbolt ransomware is geared to target QNAP NAS devices specifically, it’s very likely that if an exploit is made public, the same criminals will use it to spread the same ransomware again.

Censys has observed 67,415 hosts with indications of running a QNAP-based system; unfortunately, we could only obtain the version number from 30,520 hosts. But, if the advisory is correct (Update Feb 3rd, 2023: it wasn’t), over 98% of identified QNAP devices would be vulnerable to this attack. We found that of the 30,520 hosts with a version, only 557 were running QuTS Hero greater than or equal to “h5.0.1.2248” or QTS greater than or equal to “5.0.1.2234”, meaning 29,968 hosts could be affected by this vulnerability.

What can be done?

• QNAP recommends updating the latest version, which readers can find on their product support status page. 
• We recommend making sure the device is not exposed to the internet.
• Censys ASM customers have access to a risk that alerts on any internet-exposed QNAP devices.
• QNAP Censys Search

Further Reading

• QNAP Advisory (QSA-23-01)
• NVD CVE-2022-27596
• BleepingComputer – QNAP fixes critical bug letter hackers inject malicious code
• Censys – The Neverending Story of Deadbolt