QNAP, a Taiwanese hardware vendor, has warned customers to secure their Linux-powered network-attached storage (NAS) devices against a high-severity Sudo privilege escalation vulnerability. The flaw, tracked as CVE-2023-22809, was discovered by Synacktiv security researchers, who describe it as a “sudoers policy bypass in Sudo version 1.9.12p1 when using sudoedit.”
The vulnerability could allow attackers to escalate privileges by editing unauthorized files after appending arbitrary entries to the list of files to process.
The vulnerability affects the QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances) NAS operating systems, as QNAP revealed in a security advisory published on Wednesday. The company has addressed the flaw in the QTS and QuTS hero platforms, but it’s still working on providing QuTScloud and QVP security updates.
Customers are advised to apply available security updates as soon as possible, as threat actors are known to actively target QNAP NAS security flaws.
To secure their QNAP NAS device, customers can click the “Check for Update” option under the “Live Update” section after logging in as the admin user and going to Control Panel > System > Firmware Update.
Alternatively, they can manually apply the firmware update after downloading it from QNAP’s Download Center after selecting their device’s product type and model.
QNAP’s advisory has not tagged the CVE-2023-22809 vulnerability as being actively exploited in the wild.
However, recent attacks targeting QNAP NAS devices include DeadBolt and eCh0raix ransomware campaigns that abuse vulnerabilities to encrypt data on Internet-exposed devices.
QNAP has also announced that it’s fixing multiple other security bugs affecting its products, including some found in OpenSSL, Samba, and its own operating systems (exploitable for remote command execution and information disclosure).
