Published:2021/12/22 Last Updated:2021/12/22
JVNVU#95429813
Multiple vulnerabilities in QNAP VioStar NVR
Overview
VioStar series NVR provided by QNAP Systems contains multiple vulnerabilities.
Products Affected
- QNAP VioStar series NVR
Description
VioStar series NVR provided by QNAP Systems contains multiple vulnerabilities listed below.
- Command injection (CWE-77) - CVE-2021-38685
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8 - Improper authentication (CWE-287) - CVE-2021-38686
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
Impact
- An arbitrary command may be executed by a remote attacker. - CVE-2021-38685
- A remote attacker can login to the vulnerable system. - CVE-2021-38686
Solution
Update the firmware
Apply the appropriate firmware update according to the information provided by the developer.
The developer has released fixed version below.
- QVR 5.1.6 build 20211109
Vendor Status
Vendor | Link |
QNAP Systems, Inc. | Command Injection Vulnerability in QVR |
Improper Authentication Vulnerability in QVR |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
goroh_kun of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.