#VU56446 Insufficiently protected credentials in QNAP Systems, Inc. products - CVE-2021-28813

Cybersecurity Help s.r.o.

Published: 2021-09-10

Vulnerability identifier: #VU56446

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-28813

CWE-ID: CWE-522

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
QGD-1600P
Hardware solutions / Routers & switches, VoIP, GSM, etc
QGD-1602P
Hardware solutions / Routers & switches, VoIP, GSM, etc
QGD-3014PT
Hardware solutions / Routers & switches, VoIP, GSM, etc
QuNetSwitch
Hardware solutions / Firmware
QSW-M2116P-2T2S
Hardware solutions / Firmware

Vendor: QNAP Systems, Inc.

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficiently protected credentials. A remote attacker can access the unrestricted storage mechanism and read sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

QGD-1600P: All versions

QGD-1602P: All versions

QGD-3014PT: All versions

QuNetSwitch: before 1.0.6.1509

QSW-M2116P-2T2S: before 1.0.6

External links
https://www.qnap.com/en/security-advisory/qsa-21-37

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Insufficiently protected credentials in QNAP QSW-M2116P-2T2S and QuNetSwitch