Security Fix for Surveillance Station Pro v3.0 & v2.0~2.5

QVR Pro, QVR Pro Client, QVR Center and Surveillance Station
Post Reply
Envalon
New here
Posts: 8
Joined: Fri Jun 07, 2013 5:17 am

Security Fix for Surveillance Station Pro v3.0 & v2.0~2.5

Post by Envalon » Fri Jun 07, 2013 5:22 am

Hi,
you Informations are not correct.
[What is affected]
FW 3.8.2+ installed the Survillance Station Pro.

Greetings

Envalon
New here
Posts: 8
Joined: Fri Jun 07, 2013 5:17 am

Re: Security Fix for Surveillance Station Pro v3.0

Post by Envalon » Fri Jun 07, 2013 5:25 am

When will a Viostor Fix released? At the moment every Viostor System is attackable?

Greetings

johnripper
Experience counts
Posts: 1359
Joined: Sun Aug 14, 2011 5:13 am

Re: Security Fix for Surveillance Station Pro v3.0

Post by johnripper » Fri Jun 07, 2013 5:35 am

Not a good job qnap did when reading this article:

http://www.h-online.com/security/news/i ... 83263.html

luddy
Easy as a breeze
Posts: 254
Joined: Wed May 12, 2010 10:35 pm

Re: Security Fix for Surveillance Station Pro v3.0

Post by luddy » Fri Jun 07, 2013 6:47 am

How nice. More reasons to love QNAP.
QNAP TS-239 Pro II | Version 4.2.6 B20181227 | 2 x 3TB - RAID-1 - WDC WD30EFRX RED

User avatar
Toxic17
Ask me anything
Posts: 5557
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Security Fix for Surveillance Station Pro v3.0

Post by Toxic17 » Fri Jun 07, 2013 7:12 am

QNAPJason wrote:Security Advisory

[What is affected]
Surveillance Station Pro v3.0 from QTS 4.0 could allow guest user with "ping" permission.
CWE-284: Improper Access Control CVE-2013-0142
CWE-77: Improper Neutralization of Special Elements used in a Command CVE-2013-0143


Jason - what about CVE-2013-0141 as mentioned in the H security post?
Regards Simon

QTS 4.x User Guidex

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.5.2.1594 • TVS-463-16GB 4.5.2.1594 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.1432 • APC Back-UPS ES 700G
Network: VM Hub3 • UniFi UDM Pro 1.9.3 • Controller: 6.2.17 • UniFi US-16-150W/US-8-60W 5.43.35 • USW Mini Flex 1.8.4 • UniFi G3-Flex • AP: AC Pro 5.43.35 & U6-LR 5.57.1

Envalon
New here
Posts: 8
Joined: Fri Jun 07, 2013 5:17 am

Re: Security Fix for Surveillance Station Pro v3.0

Post by Envalon » Fri Jun 07, 2013 1:56 pm

@ Jason the CVE-2013-0141 only affects Viostor Systems. The only way to fix that problem is using one time tokens in request. But at the moment i think qnap is only working at the QNAP NAS not the QNAP Viostor. This is sad :(

User avatar
QNAPJason
QNAP Staff
Posts: 5399
Joined: Thu May 21, 2009 2:14 pm
Location: Taipei

Re: Security Fix for Surveillance Station Pro v3.0

Post by QNAPJason » Fri Jun 07, 2013 2:09 pm

Hi Envalon,
For NAS Surveillance Station Pro v3, we will remove both guest account & create_user.cgi (although the create_user.cgi is no use for NAS. This CGI is created after installing Surveillance Station).
Our NVR team is also working on the Viostor fix. Please wait for some more time.

Jason

micmicmic
New here
Posts: 5
Joined: Thu Oct 29, 2009 12:04 am

Re: Security Fix for Surveillance Station Pro v3.0

Post by micmicmic » Fri Jun 07, 2013 2:31 pm

QNAPJason wrote:Security Advisory

[What is affected]
Surveillance Station Pro v3.0 from QTS 4.0 could allow guest user with "ping" permission.
CWE-284: Improper Access Control CVE-2013-0142
CWE-77: Improper Neutralization of Special Elements used in a Command CVE-2013-0143

[How to fix]
Please go to App Center and upgrade Surveillance Station Pro to v3.0.1 or higher for the security fix (CWE-77).
The upcoming v3.0.2 will disable guest login completely. Please wait for 1 more day.
SSPro3.0.1.jpg


Is that means I must upgrade to QTS 4.0??

------------------------------------
Current Mode: 469L
OS 3.8.2
QNAP TS-409 (Dead)
QNAP TS-469L FW4.3.4.0427 build 20171223
QNAP TAS-268 FW4.3.3.0404 build 20171213

Envalon
New here
Posts: 8
Joined: Fri Jun 07, 2013 5:17 am

Re: Security Fix for Surveillance Station Pro v3.0

Post by Envalon » Fri Jun 07, 2013 3:15 pm

Good question. Is the Survillnace Station Pro 3.0.1 only for 4.0?

Can someone with a FW 3.x.x say that he can update the Survillance Stion Pro to the 3.0.1 Version?

Envalon
New here
Posts: 8
Joined: Fri Jun 07, 2013 5:17 am

Re: Security Fix for Surveillance Station Pro v3.0

Post by Envalon » Sat Jun 08, 2013 7:02 am

can someone answer the question?

User avatar
bugmenot3
Starting out
Posts: 46
Joined: Mon Mar 31, 2008 11:37 pm

Re: Security Fix for Surveillance Station Pro v3.0

Post by bugmenot3 » Sat Jun 08, 2013 2:55 pm

SS 3.* is only running on FW 4.*

Thats is the problem for many SS user like me.
Wait and let the qnap team do their work.

Envalon
New here
Posts: 8
Joined: Fri Jun 07, 2013 5:17 am

Re: Security Fix for Surveillance Station Pro v3.0

Post by Envalon » Sat Jun 08, 2013 4:51 pm

Wait???
They had two and a half weaks to work on a FIX. They released a first update (never went live) and said it fixes the problem. Than i tested and no it was still vulnerable. Now they told again they fixed the problem and will infrom customers. But this "fix" is not a real fix. Also there is no information about the Viosotor Systems. There a company viostor system reachable from the internet you can access and view cams, play records ....... On the other way there are a lot of NAS systems attackable from the internet witch TB of data. This server will probably now be attacked by hackers because the hack is so easy. Not everyone can upgrade to the FW 4.0 this evern can leads to a data loss. So sorry but qnap did a realy bad job. And its not over !

User avatar
andrewyu
Know my way around
Posts: 212
Joined: Fri Jul 18, 2008 8:29 pm
Location: Taipei
Contact:

Re: Security Fix for Surveillance Station Pro v3.0 & v2.x

Post by andrewyu » Sun Jun 09, 2013 3:07 pm

To fix the issues on VioStor NVR system, please visit http://forum.qnapsecurity.com/viewtopic ... 0&t=183680 to download the latest NVR firmware.
Best regards,

Andrew

Envalon
New here
Posts: 8
Joined: Fri Jun 07, 2013 5:17 am

Re: Security Fix for Surveillance Station Pro v3.0 & v2.x

Post by Envalon » Sun Jun 09, 2013 7:12 pm

@andreyu how did you fix the problem?
After a short look into the fw the pingping.cgi is still there. Is the input now sanitized? Is the guest account removed?
Would be nic eif you can update the demo system on your homepage :)

Greetings

Post Reply

Return to “Surveillance Solution”