#VU54221 Unprotected storage of credentials in QNAP Systems, Inc. products - CVE-2021-28815

Cybersecurity Help s.r.o.

Published: 2021-06-18

Vulnerability identifier: #VU54221

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-28815

CWE-ID: CWE-256

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
QNAP QTS
Server applications / File servers (FTP/HTTP)
QuTS hero
Hardware solutions / Firmware
QuTScloud
Operating systems & Components / Operating system
myQNAPcloud Link
Other software / Other software solutions

Vendor: QNAP Systems, Inc.

Description

The vulnerability allows a remote attacker to gain access to other users' credentials.

The vulnerability exists due to insecure storage of sensitive information. A remote attacker can access the unrestricted storage mechanism to read sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

QNAP QTS: before 4.5.3, 4.5.3

QuTS hero: before h4.5.2

QuTScloud: before c4.5.4

myQNAPcloud Link: before 2.2.21

External links
https://www.qnap.com/zh-tw/security-advisory/qsa-21-26

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Unprotected storage of credentials in QNAP myQNAPcloud Link