Published:2021/12/22  Last Updated:2021/12/22

JVNVU#95429813
Multiple vulnerabilities in QNAP VioStar NVR

Overview

VioStar series NVR provided by QNAP Systems contains multiple vulnerabilities.

Products Affected

  • QNAP VioStar series NVR

Description

VioStar series NVR provided by QNAP Systems contains multiple vulnerabilities listed below.

  • Command injection (CWE-77) - CVE-2021-38685
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
  • Improper authentication (CWE-287) - CVE-2021-38686
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8

Impact

  • An arbitrary command may be executed by a remote attacker. - CVE-2021-38685
  • A remote attacker can login to the vulnerable system. - CVE-2021-38686

Solution

Update the firmware
Apply the appropriate firmware update according to the information provided by the developer.
The developer has released fixed version below.

  • QVR 5.1.6 build 20211109

Vendor Status

Vendor Link
QNAP Systems, Inc. Command Injection Vulnerability in QVR
Improper Authentication Vulnerability in QVR

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

goroh_kun of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia