CVE-2020-2509

17.04.2021, 04:15

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later

Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
qnap	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
qnap	qts	𝑥 < 4.2.6
qnap	qts	4.3.5 ≤ 𝑥 < 4.3.6
qnap	qts	4.4.0 ≤ 𝑥 < 4.5.1
qnap	qts	4.2.6
qnap	qts	4.2.6:build_20170517
qnap	qts	4.2.6:build_20190322
qnap	qts	4.2.6:build_20190730
qnap	qts	4.2.6:build_20190921
qnap	qts	4.2.6:build_20191107
qnap	qts	4.2.6:build_20200109
qnap	qts	4.2.6:build_20200421
qnap	qts	4.2.6:build_20200611
qnap	qts	4.2.6:build_20200821
qnap	qts	4.3.3.0174
qnap	qts	4.3.3.0868
qnap	qts	4.3.3.0998
qnap	qts	4.3.3.1051
qnap	qts	4.3.3.1098
qnap	qts	4.3.3.1161
qnap	qts	4.3.3.1252
qnap	qts	4.3.3.1315
qnap	qts	4.3.3.1386
qnap	qts	4.3.3.1432
qnap	qts	4.3.4.0358
qnap	qts	4.3.4.0358:beta1
qnap	qts	4.3.4.0370
qnap	qts	4.3.4.0370:beta1
qnap	qts	4.3.4.0372
qnap	qts	4.3.4.0372:beta1
qnap	qts	4.3.4.0374
qnap	qts	4.3.4.0374:beta1
qnap	qts	4.3.4.0387
qnap	qts	4.3.4.0387:beta2
qnap	qts	4.3.4.0411
qnap	qts	4.3.4.0416
qnap	qts	4.3.4.0427
qnap	qts	4.3.4.0434
qnap	qts	4.3.4.0435
qnap	qts	4.3.4.0451
qnap	qts	4.3.4.0483
qnap	qts	4.3.4.0486
qnap	qts	4.3.4.0506
qnap	qts	4.3.4.0516
qnap	qts	4.3.4.0526
qnap	qts	4.3.4.0551
qnap	qts	4.3.4.0557
qnap	qts	4.3.4.0561
qnap	qts	4.3.4.0569
qnap	qts	4.3.4.0593
qnap	qts	4.3.4.0597
qnap	qts	4.3.4.0604
qnap	qts	4.3.4.0899
qnap	qts	4.3.4.1029
qnap	qts	4.3.4.1082
qnap	qts	4.3.4.1190
qnap	qts	4.3.4.1282
qnap	qts	4.3.4.1368
qnap	qts	4.3.4.1417
qnap	qts	4.3.4.1463
qnap	qts	4.3.6
qnap	qts	4.3.6.0895
qnap	qts	4.3.6.0907
qnap	qts	4.3.6.0923
qnap	qts	4.3.6.0944
qnap	qts	4.3.6.0959
qnap	qts	4.3.6.0979
qnap	qts	4.3.6.0993
qnap	qts	4.3.6.1013
qnap	qts	4.3.6.1033
qnap	qts	4.3.6.1070
qnap	qts	4.3.6.1154
qnap	qts	4.3.6.1218
qnap	qts	4.3.6.1263
qnap	qts	4.3.6.1286
qnap	qts	4.3.6.1333
qnap	qts	4.3.6.1411
qnap	qts	4.3.6.1446
qnap	qts	4.5.1
qnap	qts	4.5.1.1456
qnap	qts	4.5.1.1461
qnap	qts	4.5.1.1465
qnap	qts	4.5.1.1480
qnap	qts	4.5.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://www.qnap.com/en/security-advisory/qsa-21-05