How to Fix CVE-2023-22809- A High-Severity Sudo Privilege Escalation Vulnerability in QNAP NAS Devices?

The Network Attached Storage (NAS) devices manufacturer giant QNAP published an advisory on 30th March 2023 in which QNAP announced a high-severity sudo privilege escalation vulnerability in QNAP NAS devices. The vulnerability tracked under the identifier CVE-2023-22809 is a High severity vulnerability with a CVSS score of 7.8 out of 10. Security researchers from Synacktiv who disclosed the flaw has punished the comprehensive technical details about the flaw. Since this flaw allows an attacker to carry out privilege escalation attacks just by editing unauthorized files, it is important to fix the CVE-2023-22809 vulnerability. Let’s see how to fix CVE-2023-22809, a high-severity sudo privilege escalation vulnerability in QNAP NAS devices in this post.

Introduction to QNAP NAS

When it comes to network-attached storage (NAS), QNAP NAS is a name that needs no introduction. Renowned for its reliability and versatility, QNAP NAS is the perfect choice for both personal and professional use. With a diverse range of models to choose from, QNAP NAS offers options that cater to every need, from basic storage to top-of-the-line solutions.

What sets QNAP NAS apart is its ability to support a wide range of protocols, making it a flexible and efficient storage solution for various use cases. Whether you’re looking to store precious memories at home or seeking robust storage solutions for your business, QNAP NAS has got you covered.

QTS 5.x and QuTS hero h5.x

QTS 5.x is the latest cutting-edge operating system from QNAP Systems Inc. designed specifically for their NAS devices. With a user-friendly interface and a vast array of applications, QTS 5.x is the future of data management. Its advanced features, including virtualization, containerization, and disaster recovery, ensure data security and provide a seamless storage experience for all users.

For businesses seeking maximum value from their data, there’s QuTS hero h5.x – a high-performance version of QTS 5.x optimized for the QuTS hero series NAS devices. QuTS hero h5.x combines the best of QTS 5.x with innovative hardware and a unique data management architecture, delivering exceptional performance, reliability, and scalability. Its advanced storage features, including storage pooling, data backup and recovery, and disaster recovery solutions, make it the ultimate choice for businesses that demand the very best in data management solutions.

Summary of CVE-2023-22809

This is a high-severity sudo privilege escalation vulnerability in QNAP NAS operating systems which got a CVSS score of 7.8 out of 10 on the scale. The vulnerability is not natively rooted in QNAP devices. In fact, the vulnerability is stemmed from the sudo utility, the most powerful, open-source, ubiquitous utility used in all non-windows platforms like Unix, Linux, Solaris, and Mac that allows users to run the programs with another user’s security privileges (superuser privileges). 

Synacktiv discovered a sudoers policy bypass in Sudo version 1.9.12p1 when using sudoedit. This vulnerability may lead to privilege escalation by editing unauthorized files.
– Synacktiv

This sudoers policy bypass vulnerability has been discovered in versions 1.8.0 through 1.9.12.p1 of Sudo which could lead to privilege escalation by a local attacker. The vulnerability specifically affects the sudoedit feature, also known as “-e,” which allows users to edit files with elevated privileges. When user-provided environment variables such as SUDO_EDITOR, VISUAL, and EDITOR are passed with additional arguments, Sudo mishandles them, enabling an attacker to append arbitrary entries to the list of files to process.

This security flaw arises because a user-specified editor may contain a “–” argument that can defeat a protection mechanism. For example, a value of “vim — /path/to/extra/file” for the EDITOR variable could bypass the security mechanism, leading to privilege escalation. Visit the report published by Sinacktiv for complete 

.

QNAP NAS OS Vulnerable to CVE-2023-22809:

Since the vulnerability is rooted in sudo versions 1.8.0 through 1.9.12.p1, this flaw affects all the QNAP devices that run the vulnerable sudo versions. 

How to Fix CVE-2023-22809- A High-Severity Sudo Privilege Escalation Vulnerability in QNAP NAS Devices?

It is crucial for users to upgrade their Sudo installations to version 1.9.12p2 or later to mitigate this vulnerability. Users are also advised to review their Sudo configurations and limit the use of sudoedit where possible.

However, the vendor has released the patch to fix the CVE-2023-22809, a high-severity sudo privilege escalation vulnerability in QNAP NAS devices. Please upgrade your QNAP OS to these fixed versions. We always recommend regular upgrades and keeping your device to the latest version. 

Synacktiv recommended mitigation for those who can’t go for the immediate patch. According to Synacktiv, adding these affected environment variables to the env_delete deny list when using sudoedit would help mitigate the flaw.

Defaults!SUDOEDIT env_delete+="SUDO_EDITOR VISUAL EDITOR" 
Cmnd_Alias SUDOEDIT = sudoedit /etc/custom/service.conf 
user ALL=(ALL:ALL) SUDOEDIT

We highly recommend that you regularly update your device to ensure its security and to take advantage of the latest vulnerability fixes. To do so, you can check the product support status to find out about the latest updates available for your specific NAS model.

To update your QTS, QuTS hero, or QuTScloud device, log in as an administrator and navigate to Control Panel > System > Firmware Update. Click on Live Update and then select Check for Update. The system will download and install the latest available update. Alternatively, you can download the update from the QNAP website by visiting Support > Download Center and manually updating your device.

For updating QVP (QVR Pro Appliances), log in as an administrator and navigate to Control Panel > System Settings > Firmware Update. Choose the Firmware Update tab and click on Browse to upload the latest firmware file. You can download the latest firmware file for your device from https://www.qnap.com/go/download. Once the file has been uploaded, click on Update System to install the update.

We hope this post would help you know how to fix CVE-2023-22809, a high-severity sudo privilege escalation vulnerability in QNAP NAS devices. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram and subscribe to receive updates like this.

You may also like these articles: