CVE-2019-7192
Published: 05 December 2019
Summary
CVE-2019-7192 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Qnap Photo Station. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-7192 is an improper access control vulnerability, tracked under CWE-863, that affects QNAP Photo Station. It received a CVSS v3.1 base score of 9.8 and permits remote attackers to obtain unauthorized access to the system without requiring authentication.
The flaw can be exploited over the network by unauthenticated attackers to gain unauthorized access, which in practice has been shown to enable remote command execution on affected QNAP QTS installations running vulnerable versions of Photo Station.
QNAP security advisories direct users to update Photo Station to the latest available versions to address the issue. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, and public proof-of-concept code for remote command execution has been published.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-16736
Vulnerability details
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
- CWE(s)
- KEV Date Added
- 08 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control policies to block unauthenticated remote access that CVE-2019-7192 exploits.
Requires timely application of vendor patches that QNAP states are the fix for the Photo Station flaw.
Mandates identification and authentication prior to granting system access, directly countering the missing-authentication vector.