Taiwanese hardware vendor QNAP warns customers to secure their Linux-powered network-attached storage (NAS) devices against a high-severity Sudo privilege escalation vulnerability.
Successful exploitation on unpatched devices using Sudo versions 1.8.0 through 1.9.12p1 could enable attackers to escalate privileges by editing unauthorized files after appending arbitrary entries to the list of files to process.
The vulnerability also affects the QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances) NAS operating systems, as QNAP revealed in a security advisory published on Wednesday.
While the company has addressed the flaw in the QTS and QuTS hero platforms, it’s still working on providing QuTScloud and QVP security updates.
“Please check this security advisory regularly for updates and promptly update your operating system to the latest recommended version as soon as it is available,” QNAP warned.
“To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes.”
How to secure your QNAP NAS device
To update their QTS, QuTS hero, or QuTScloud, customers have to click the “Check for Update” option under the “Live Update” section after logging in as the admin user and going to Control Panel > System > Firmware Update.
Alternatively, they can manually apply the firmware update after downloading it from QNAP’s Download Center after selecting their device’s product type and model.
QNAP’s advisory has not tagged the CVE-2023-22809 vulnerability as being actively exploited in the wild.
However, due to the flaw’s severity, customers are advised to apply available security updates as soon as possible, as threat actors are known to actively target QNAP NAS security flaws.
Recent attacks targeting QNAP NAS devices include DeadBolt and eCh0raix ransomware campaigns that abuse vulnerabilities to encrypt data on Internet-exposed devices.
Today, QNAP also announced that it’s fixing multiple other security bugs affecting its products, including some found in OpenSSL, Samba [1, 2], and its own operating systems (exploitable for remote command execution and information disclosure).