CVE-2018-19949
Published: 28 October 2020
Summary
CVE-2018-19949 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Qnap Qts. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2018-19949 is a command injection vulnerability stemming from improper input validation, tracked under CWEs 20, 77, and 78. It affects multiple versions of QNAP QTS network-attached storage firmware and carries a CVSS 3.1 base score of 9.8.
Unauthenticated remote attackers can exploit the flaw over the network to execute arbitrary operating-system commands, resulting in full compromise of confidentiality, integrity, and availability on the affected device.
QNAP has released fixes in QTS 4.4.2.1231 build 20200302, 4.4.1.1201 build 20200130, 4.3.6.1218 build 20200214, 4.3.4.1190 build 20200107, 4.3.3.1161 build 20200109, and 4.2.6 build 20200109, as detailed in security advisory QSA-20-01.
The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-11620
Vulnerability details
If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214;…
more
QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.
- CWE(s)
- KEV Date Added
- 24 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to block the unsanitized data that enables command injection.
Mandates prompt application of the vendor patches listed in QSA-20-01 that eliminate the injection flaw.
Boundary-protection rules can restrict network exposure of the affected QTS interfaces to reduce unauthenticated remote attack surface.