A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes.
We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later
Weakness
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Quts_hero | Qnap | h5.2.0.2737-build_20240417 (including) | h5.2.0.2737-build_20240417 (including) |
| Quts_hero | Qnap | h5.2.0.2782-build_20240601 (including) | h5.2.0.2782-build_20240601 (including) |
| Quts_hero | Qnap | h5.2.0.2789-build_20240607 (including) | h5.2.0.2789-build_20240607 (including) |
| Quts_hero | Qnap | h5.2.0.2802-build_20240620 (including) | h5.2.0.2802-build_20240620 (including) |
| Quts_hero | Qnap | h5.2.0.2823-build_20240711 (including) | h5.2.0.2823-build_20240711 (including) |
| Quts_hero | Qnap | h5.2.0.2851-build_20240808 (including) | h5.2.0.2851-build_20240808 (including) |
| Quts_hero | Qnap | h5.2.0.2860-build_20240817 (including) | h5.2.0.2860-build_20240817 (including) |
| Quts_hero | Qnap | h5.2.1.2929-build_20241025 (including) | h5.2.1.2929-build_20241025 (including) |
| Quts_hero | Qnap | h5.2.1.2940-build_20241105 (including) | h5.2.1.2940-build_20241105 (including) |
| Quts_hero | Qnap | h5.2.2.2952-build_20241116 (including) | h5.2.2.2952-build_20241116 (including) |
| Quts_hero | Qnap | h5.2.3.3006-build_20250108 (including) | h5.2.3.3006-build_20250108 (including) |
| Quts_hero | Qnap | h5.2.4.3070-build_20250312 (including) | h5.2.4.3070-build_20250312 (including) |
| Quts_hero | Qnap | h5.2.4.3079-build_20250321 (including) | h5.2.4.3079-build_20250321 (including) |
| Quts_hero | Qnap | h5.2.5.3138-build_20250519 (including) | h5.2.5.3138-build_20250519 (including) |
| Quts_hero | Qnap | h5.2.6.3195-build_20250715 (including) | h5.2.6.3195-build_20250715 (including) |
| Quts_hero | Qnap | h5.3.0.3115-build_20250430 (including) | h5.3.0.3115-build_20250430 (including) |
| Quts_hero | Qnap | h5.3.0.3145-build_20250530 (including) | h5.3.0.3145-build_20250530 (including) |
| Quts_hero | Qnap | h5.3.0.3192-build_20250716 (including) | h5.3.0.3192-build_20250716 (including) |
Potential Mitigations
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
- Run or compile the software using features or extensions that randomly arrange the positions of a program’s executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as “rebasing” (for Windows) and “prelinking” (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].