CVE-2023-50358 Detection: A New Zero-Day Vulnerability in QNAP QTS and QuTS Hero Firmware

Close on the heels of a critical Jenkins RCE vulnerability, another security flaw that can pose a severe threat to global organizations emerges in the cyber threatscape. A new zero-day vulnerability in QNAP QTS and QuTS hero operating systems tracked as CVE-2023-50358 has been currently in the spotlight. The uncovered command injection vulnerability impacts QNAP Network Attached Storage (NAS) appliances. The security flaw has already compromised over 250K+ separate IP addresses linked to Europe, the U.S., China, and Japan.

Detecting CVE-2023-50358 Exploitation Attempts

Adding to the list of around 30K vulnerabilities detected in 2023, CVE-2023-50358 poses a significant menace to cyber defenders globally. In view of multiple weaponizing attempts for a zero-day in the limelight, security professionals require innovative tools to detect exploitation attempts at the earliest stages of the attack development. SOC Prime Platform offers a collection of dedicated detection algorithms backed by advanced solutions to streamline threat hunting investigation.

Possible Initial Access Using New Vulnerability in QNAP QTS Firmware [CVE-2023-50358] (via web server)

The rule above, provided by our keen Threat Bounty developer Kagan SUKUR, helps to detect exploits for a zero-day flaw in QNAP QTS and QuTUS Hero. The rule is compatible with 18 SIEM, EDR, XDR, and Data Lake solutions and mapped to the MITRE ATT&CK framework v14.1.

To boost threat hunting efficiency and secure organizational infrastructure, cyber defenders can dive into the entire detection stack aimed at vulnerability exploit detection. Hit the Explore Detections button below, and drill down to the extensive collections of Sigma rules enriched with relevant metadata. Specifically, rules are accompanied by CTI links, ATT&CK references, triage recommendations, attack timelines, and more.

Explore Detections

CVE-2023-50358 Analysis

In November 2023, Unit 42 researchers uncovered a new zero-day vulnerability in QNAP QTS and QuTS hero firmware affecting NAS devices. The identified zero-day is a command injection vulnerability within the quick.cgi component of the QNAP QTS firmware, which can be accessed without authentication. The vulnerability tracked as CVE-2023-50358 arises when the HTTP request parameter “todo=set_timeinfo” is configured, and the parameter “SPECIFIC_SERVER” is saved into a specific configuration file under the entry name “NTP Address.” Over 250K devices have been exposed to CVE-2023-50358 exploitation, with identified IP addresses coming from 18 countries, including the U.S., Europe, Canada, the UK, Australia, and East Asia. 

In response to the vulnerability disclosure, QNAP promptly issued a security advisory offering recommendations and CVE-2023-50358 mitigation measures to help defenders proactively defend against potential threats. In addition to the CVE-2023-50358 zero-day, the vendor also addressed another security bug tracked as CVE-2023-47218 that affects a different QNAP OS version. In case of successful exploitation, both CVE-2023-50358 and CVE-2023-47218 can enable adversaries to execute commands through a network. QNAP has been gradually releasing firmware updates containing patches since early January 2024, with some updates being rolled out in multiple stages.

To minimize the risks of CVE-2023-50358 vulnerability exploitation, QNAP customers are strongly advised to ensure their NAS devices are upgraded to the fully fixed firmware version. The vendor has also provided guidance on how admins can verify whether their system is susceptible to the above-referenced QNAP security issues.

Researchers believe that security bugs affecting IoT devices possess both low attack complexity and high severity, making them highly appealing to threat actors. Consequently, safeguarding IoT devices against these threats is an immediate priority. Get started with Uncoder AI to advance your Detection Engineering capabilities with a single AI-powered IDE for simplified code writing, syntax & logic validation, and automated translation to dozens of cybersecurity languages while ensuring proactive defense against CVE exploitation attempts and cyber threats of any sophistication.