Re: CVE request: QNAP QTS

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> QNAP QTS employ Bash as the default shell and we discover an arbitrary
> code execution flaw with UID=0

As far as we can tell, the
http://www.qnap.com/useng/index.php?lang=en-us&sn=885&c=3036&sc=&n=22457
reference suggests that the code execution for that PoC occurs because
the QNAP Bash build has the CVE-2014-6271 vulnerability. In that case,
the applicable CVE ID is CVE-2014-6271, not a separate CVE ID specific
to QNAP's build.

If you mean something else -- for example, if another reference states
that the implementation language of restore_config.cgi is not sh and
that the design of restore_config.cgi was supposed to drop privileges
immediately, but there's an implementation flaw in which Bash is
launched before privileges are dropped -- then there could conceivably
be a separate CVE ID for that restore_config.cgi issue. Similarly, if
you're referring to an authentication bypass -- for example, if the
implementation language of restore_config.cgi is not sh and the design
of restore_config.cgi was supposed to exit immediately for
unauthenticated requests, but there's an implementation flaw in which
Bash is launched before missing authentication is detected, then there
could conceivably be a separate CVE ID.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUKZzGAAoJEKllVAevmvmsYVkIAL4Y1FNV4YcHY8r2jIHfg1Ez
zLtThhTE6s3CMPfmDJPnjCm9uwTNvT9QLSJ9v6eZhoaXvutCqdKNqjfcdabZhikr
7JRHJcg4jTOcrang/w9+9SL8dJ3C/JUFfJZyUKfA2d19vCCuXwpnOZKq/70C2Pl1
tU8U1VONrZCuSImAIWpy/aoFtc5GeSGxkblb6StMteZIXbDM+PsAyrtY0yRX9UuG
VIpeX0aVVH6XW8+1L1jVYolYDdN3M8pZWBJYArFxgg+A/vSu7Vk5ZsGO/vY8y7jv
x1h76ah6I7cw3GSUt9fujizBEi+ekAWaGXqB6pOG3/HUO1xI9BJofuDQSg+ZtIE=
=kin/
-----END PGP SIGNATURE-----