oss-sec mailing list archives
Re: CVE request: QNAP QTS
From: cve-assign () mitre org
Date: Mon, 29 Sep 2014 13:57:03 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
QNAP QTS employ Bash as the default shell and we discover an arbitrary code execution flaw with UID=0
As far as we can tell, the http://www.qnap.com/useng/index.php?lang=en-us&sn=885&c=3036&sc=&n=22457 reference suggests that the code execution for that PoC occurs because the QNAP Bash build has the CVE-2014-6271 vulnerability. In that case, the applicable CVE ID is CVE-2014-6271, not a separate CVE ID specific to QNAP's build. If you mean something else -- for example, if another reference states that the implementation language of restore_config.cgi is not sh and that the design of restore_config.cgi was supposed to drop privileges immediately, but there's an implementation flaw in which Bash is launched before privileges are dropped -- then there could conceivably be a separate CVE ID for that restore_config.cgi issue. Similarly, if you're referring to an authentication bypass -- for example, if the implementation language of restore_config.cgi is not sh and the design of restore_config.cgi was supposed to exit immediately for unauthenticated requests, but there's an implementation flaw in which Bash is launched before missing authentication is detected, then there could conceivably be a separate CVE ID. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUKZzGAAoJEKllVAevmvmsYVkIAL4Y1FNV4YcHY8r2jIHfg1Ez zLtThhTE6s3CMPfmDJPnjCm9uwTNvT9QLSJ9v6eZhoaXvutCqdKNqjfcdabZhikr 7JRHJcg4jTOcrang/w9+9SL8dJ3C/JUFfJZyUKfA2d19vCCuXwpnOZKq/70C2Pl1 tU8U1VONrZCuSImAIWpy/aoFtc5GeSGxkblb6StMteZIXbDM+PsAyrtY0yRX9UuG VIpeX0aVVH6XW8+1L1jVYolYDdN3M8pZWBJYArFxgg+A/vSu7Vk5ZsGO/vY8y7jv x1h76ah6I7cw3GSUt9fujizBEi+ekAWaGXqB6pOG3/HUO1xI9BJofuDQSg+ZtIE= =kin/ -----END PGP SIGNATURE-----
Current thread:
- CVE request: QNAP QTS Ken Lee (Sep 28)
- Re: CVE request: QNAP QTS cve-assign (Sep 29)