SB2020083115 - Security update for third-party software in QNAP QTS 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020083115

SB2020083115 - Security update for third-party software in QNAP QTS

Published: August 31, 2020 Updated: September 7, 2020

Security Bulletin ID SB2020083115
Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 90% Low 10%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2017-7418)

The vulnerability allows a local user to access sensitive information.

The vulnerability exists due to incorrect implementation of the AllowChrootSymlinks option that checks only the last path component when enforcing it. A local user with ability to manage own FTP home directory can create a specially crafted symbolic link and gain unauthorized access to the filesystem.


2) NULL pointer dereference (CVE-ID: CVE-2019-19269)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference in tls_verify_crl() function in ProFTPD while processing data, returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. A remote attacker can trigger the NULL pointer dereference error when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.

Successful exploitation of the vulnerability will result in a denial of service condition.


3) Improper Certificate Validation (CVE-ID: CVE-2019-19270)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server.


4) Infinite loop (CVE-ID: CVE-2019-18217)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in main.c in a child process when handling overly long commands. A remote non-authenticated attacker can perform a denial of service attack by sending an overly log command to the affected FTP server.


5) NULL pointer dereference (CVE-ID: CVE-2019-19272)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Direct dereference of a NULL pointer (a variable initialized to NULL) leads to a crash when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.


6) Improper Certificate Validation (CVE-ID: CVE-2019-19271)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A wrong iteration variable, used when checking a client certificate against CRL entries (installed by a system administrator), can cause some CRL entries to be ignored, and can allow clients whose certificates have been revoked to proceed with a connection to the server.


7) Use-after-free (CVE-ID: CVE-2020-9273)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing data transfer within the alloc_pool() function in pool.c. A remote authenticated attacker can trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


8) Out-of-bounds read (CVE-ID: CVE-2020-9272)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in mod_cap within bundled libpcab library code (via the cap_text.c cap_to_text function). A remote attacker can send specially crafted traffic to the server, trigger an out-of-bounds read error and read contents of memory on the system.


9) Resource exhaustion (CVE-ID: CVE-2020-10745)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing NBT and DNS replies.  A remote attacker can send a name in the reply to a NBT or DNS request and consume excessive CPU resources, resulting in denial of service conditions.


10) Input validation error (CVE-ID: CVE-2020-14303)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of UDp packets with 0 length data  in Samba. A remote attacker can send a specially crafted UDP packet to port 137/TCP and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References