[CDP-development] TLP:GREEN (Zero-Day Alert Notification) - CVE-2023-47565 QNAP VioStor NVR OS Command Injection Vulnerability & CVE-2023-49897 FXC AE1021, AE1021PE OS Command Injection Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Thu Dec 21 13:12:24 PST 2023 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2023-47565 QNAP VioStor NVR OS Command Injection Vulnerability & CVE-2023-49897 FXC AE1021, AE1021PE OS Command Injection Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On December 21, 2023, CISA added CVE-2023-47565 to the Known Exploited Vulnerabilities Catalog; CVE-2023-47565 is an OS command injection vulnerability in legacy QNAP VioStor NVR with a CVSS score of 8.0. On June 21, 2014, the vulnerability was fixed in the 5.0.0 firmware update. CISA also added CVE-2023-49897, an OS Command Injection Vulnerability in the AE1021 and AE1021PE firmware for FXC products.

QNAP affected versions:

  *   QVR firmware 4.X
QNAP fixed versions:

  *   QVR firmware 5.X and later

QNAP has released security advisory qsa-23-48 regarding this vulnerability which can be found here: https://www.qnap.com/en-us/security-advisory/qsa-23-48

FXC affected versions:

  *   AE1021PE firmware 2.09 and earlier
  *   AE1021 firmware 2.09 and earlier
FXC fixed versions:

  *   AE1021PE firmware 2.0.1.0
  *   AE1021 firmware 2.0.1.0

A translated version (Original is in Japanese) of the security advisory from FXC can be found here: https://jvn.jp/en/vu/JVNVU92152057/

Intelligence: As of December, 21, 2023, the vulnerabilities have been confirmed as being exploited in the wild. Both of the vulnerabilities have been exploited in the "InfectedSlurs" botnet.

Workarounds: There are no workarounds for these vulnerabilities.

How it works: Akami has provided extensive information as to how these vulnerabilities are being exploited in the wild as well as detection via detection via Snort rules and YARA rules, indicators of compromise, malware samples, and C2 domains. The blog post by Akami can be found here: https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days.

Post-Exploit: Upon successful exploitation of CVE-2023-47565, authenticated users could execute commands via a network. Upon successful exploitation of CVE-2023-49897, authenticated users could execute OS commands.

As of December 21, 2023, Tenable has not released any plugins for these vulnerabilities and has no plugins in the pipeline.
Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DA3406.6E8A0C80]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231221/5dc3cd96/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231221/5dc3cd96/attachment-0001.png>

More information about the CDP-development mailing list