[SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

[SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by Toxic17 »

Release date: May 13, 2021
Security ID: QSA-21-16
Severity: Medium
CVE identifier: CVE-2020-36198
Affected products: QNAP NAS running Malware Remover 4.x
Status: Resolved

Summary
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands.

We have already fixed the issue in the following versions:
QTS 4.4.x: Malware Remover 4.6.1.0 and later

QNAP NAS running Malware Remover 3.x are not affected.

Recommendation
To fix the vulnerability, we recommend updating Malware Remover to the latest version.

Updating Malware Remover
Log on to QTS as administrator.
Open the App Center and then click .
A search box appears.
Type “Malware Remover” and then press ENTER.
Malware Remover appears in the search results.
Click Update.
A confirmation message appears.
Note: The Update button is not available if your Malware Remover is already up to date.
Click OK.
The application is updated.

Acknowledgements: Trend Micro ZDI - ZDI-CAN-12891
Revision History: V1.0 (May 13, 2021) - Published
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by Toxic17 »

Not looking good for all these vulnerabilities on QNAP Applications, especially when its the app that is suppose to remove these issues, and QNAP is telling its customers to install a dodgy app in the first place!
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by OneCD »

Why can’t someone hack that stupid dancing Qboost robot? It’s about the last piece of QNAP-created software that hasn’t been exploited. :lol:

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by Toxic17 »

OneCD wrote: Thu May 13, 2021 3:33 pm Why can’t someone hack that stupid dancing Qboost robot? It’s about the last piece of QNAP-created software that hasn’t been exploited. :lol:
I never understood that piece of software, more marketing hype.

Maybe QNAP could come up with a new app called Bloatware remover.
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by OneCD »

Toxic17 wrote: Thu May 13, 2021 3:48 pm Maybe QNAP could come up with a new app called Bloatware remover.
I remember suggesting the same thing to @jaysona. ;)

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by Toxic17 »

Really need QNAP to remove most stuff and have them as a QPKG's. Synology does this even with Web, SQL, PHP too. it just makes sense. also programs can be updated without the need for firmware's to be compiled.

Let the user have control of what goes on the NAS.
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by jaysona »

OneCD wrote: Thu May 13, 2021 3:33 pm Why can’t someone hack that stupid dancing Qboost robot? It’s about the last piece of QNAP-created software that hasn’t been exploited. :lol:
Hold my beer! :p
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
ColHut
Know my way around
Posts: 248
Joined: Sat Oct 14, 2017 12:13 am

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by ColHut »

I really am shaking my head on this one...
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by jaysona »

OneCD wrote: Thu May 13, 2021 4:02 pm
Toxic17 wrote: Thu May 13, 2021 3:48 pm Maybe QNAP could come up with a new app called Bloatware remover.
I remember suggesting the same thing to @jaysona. ;)
I had started to look into making QPKGs and was seriously considering such an app, however between finding out that QNAP re-installs the removed bloatware upon NAS reboot and my accelerated plans of getting rid of my QNAP NASes, I could not justify the required effort.

Toxic17 wrote: Thu May 13, 2021 4:05 pm Really need QNAP to remove most stuff and have them as a QPKG's. Synology does this even with Web, SQL, PHP too. it just makes sense. also programs can be updated without the need for firmware's to be compiled.

Let the user have control of what goes on the NAS.
Asustor does this as well - with the exception of the web server., which is part of ADM. I have been so impressed with the architecture of ADM and the way it is written I have purchased more units than I had initially planned to, and I'm moving everything to the Asustor NASes. I think the only QNAP I will be left with will be the TVS-EC1080 (plex and VMs) and possibly the TVS-871.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by jaysona »

ColHut wrote: Thu May 13, 2021 9:00 pm I really am shaking my head on this one...
I'm not. Given QNAPs coding practices, this is not surprising at all, and is not even the tip of the ice berg, there is more to come, and I can not get rid of my QNAPs fast enough.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
Trexx
Ask me anything
Posts: 5393
Joined: Sat Oct 01, 2011 7:50 am
Location: Minnesota

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by Trexx »

jaysona wrote:
ColHut wrote: Thu May 13, 2021 9:00 pm I really am shaking my head on this one...
I'm not. Given QNAPs coding practices, this is not surprising at all, and is not even the tip of the ice berg, there is more to come, and I can not get rid of my QNAPs fast enough.
I’ll take your x77 off your hands Jaysona.. and even will pay for the shipping. Who need that security risk on your network ;)


Sent from my iPad using Tapatalk
Paul

Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350

Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by jaysona »

Trexx wrote: Thu May 13, 2021 11:45 pm I’ll take your x77 off your hands Jaysona.. and even will pay for the shipping. Who need that security risk on your network ;)


Sent from my iPad using Tapatalk
x77....???
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
Trexx
Ask me anything
Posts: 5393
Joined: Sat Oct 01, 2011 7:50 am
Location: Minnesota

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by Trexx »

I thought you had one of the Ryzen boxes.


Sent from my iPhone using Tapatalk
Paul

Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350

Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by OneCD »

jaysona wrote: Thu May 13, 2021 9:01 pm ... however between finding out that QNAP re-installs the removed bloatware upon NAS reboot and my accelerated plans of getting rid of my QNAP NASes, I could not justify the required effort.
Must admit, it gets harder each year to find the motivation to continue supporting QNAP. Their products are only getting worse. :(

It feels a lot like supporting a football team that never wins. Eventually, you're asking yourself "why am I supporting these guys? ¯\_(ツ)_/¯".

I'd be a lot happier if QNAP got back-to-basics and made solid and reliable NAS like those their name was originally built-on. :D

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by dolbyman »

OneCD wrote: Fri May 14, 2021 4:53 am I'd be a lot happier if QNAP got back-to-basics and made solid and reliable NAS like those their name was originally built-on. :D
+1

But I guess you only fetch customers with shiny features and buzzwords like "public cloud"
Locked

Return to “Users' Corner”