Pasquale `sid` Fiorillo and Guido `go` Oricchio have released a critical security advisory for any QNAP NAS running any version of QTS prior to 4.2.4 Build 20170313.
The issue involves all the QNAP NAS that are members of a Microsoft Active Directory and can be used by any local user, such as “httpdusr” used to run web application, to escalate to Domain Administrator.
- Advisory: Read from USH
- CVE: CVE-2017-5227
- Vendor bullettin: NAS-201703-21
- Press release: Security Affairs