Headline
CVE-2023-47565: Vulnerability Affecting Legacy VioStor NVR - Security Advisory
An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QVR Firmware 5.0.0 and later
Security ID : QSA-23-48
Release date : December 9, 2023
CVE identifier : CVE-2023-47565
Affected products: QVR Firmware 4.x
Summary
An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in QVR Firmware 5.0.0 on June 21, 2014:
Affected Product
Fixed Version
QVR Firmware 4.x
QVR Firmware 5.x and later
Recommendation
To mitigate the vulnerability, ensure you apply strong passwords for all user accounts.
To further secure your device, we highly recommend updating QVR to the latest version.
Changing User Passwords in QVR
- Log on to QVR.
- Go to Control Panel > Privilege > Users.
- Identify the user you want to edit.
Note: Only administrators can change the passwords of other users. - Click the Change Password icon.
- Specify a new, strong password.
- Verify the password.
- Click Apply.
Updating QVR Firmware
- Log on to QVR as an administrator.
- Go to Control Panel > System Settings > Firmware Update.
- Select the Firmware Update tab.
- Click Browse… to upload the latest firmware file.
Tip: Download the latest firmware file for your specific model from https://www.qnap.com/go/download. Select “Legacy NVR” to locate your model. - Click Update System.
QVR installs the update.
Attachment
- CVE-2023-47565.json
Acknowledgements: Chad Seaman and Larry Cashdollar of Akamai Technologies reported this vulnerability to CISA.
Revision History:
V1.0 (December 09, 2023) - Published