CVE-2021-28807
📋 TL;DR
This is a post-authentication reflected cross-site scripting (XSS) vulnerability in QNAP's Q'center management software. It allows authenticated attackers to inject malicious JavaScript that executes in victims' browsers when they visit specially crafted URLs. This affects QNAP NAS devices running vulnerable versions of Q'center.
💻 Affected Systems
- QNAP NAS with Q'center
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as the administrator, pivot to other systems, or deploy ransomware on the NAS.
Likely Case
Attackers with valid credentials could steal session tokens to maintain persistent access, modify system configurations, or deploy malware.
If Mitigated
With proper network segmentation and strong authentication controls, impact is limited to the Q'center application itself.
🎯 Exploit Status
Exploitation requires valid credentials. Public proof-of-concept demonstrates the XSS injection. The vulnerability is reflected XSS, meaning the malicious payload must be delivered to the victim (e.g., via phishing).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Q'center v1.12.1012 or later for QTS 4.5.3/QuTS hero h4.5.2/QuTScloud c4.5.4; v1.10.1004 or later for QTS 4.3.6/4.3.3
Vendor Advisory: https://www.qnap.com/zh-tw/security-advisory/qsa-21-20
Restart Required: Yes
Instructions:
1. Log into QNAP NAS web interface. 2. Go to App Center. 3. Check for updates to Q'center. 4. Install the latest version. 5. Restart the NAS if prompted.
🔧 Temporary Workarounds
Disable Q'center if unused
allRemove or disable the Q'center application if not required for operations.
Log into QNAP web interface > App Center > Q'center > Uninstall
Restrict network access
allConfigure firewall rules to limit access to Q'center web interface to trusted IP addresses only.
Configure via QNAP firewall: Control Panel > Security > Firewall > Create rule to allow only specific IPs to port 8080/8443
🧯 If You Can't Patch
- Implement strong authentication controls (MFA, complex passwords) and monitor for credential compromise.
- Segment QNAP NAS devices on isolated network VLANs to limit lateral movement potential.
🔍 How to Verify
Check if Vulnerable:
Check Q'center version in QNAP web interface: Control Panel > System > About > Installed Applications. Compare against patched versions.Check Version:
ssh admin@qnap-ip 'cat /etc/config/qpkg.conf | grep Qcenter'Verify Fix Applied:
Verify Q'center version is v1.12.1012 or later (for QTS 4.5.3/QuTS hero h4.5.2/QuTScloud c4.5.4) or v1.10.1004 or later (for QTS 4.3.6/4.3.3).📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts to Q'center
- HTTP requests containing JavaScript payloads in URL parameters to Q'center endpoints
Network Indicators:
- HTTP traffic to Q'center port (default 8080/8443) with suspicious query parameters containing script tags or JavaScript
SIEM Query:
source="qnap_nas" AND (url="*Qcenter*" AND (url="*<script>*" OR url="*javascript:*"))🔗 References
- https://www.qnap.com/zh-tw/security-advisory/qsa-21-20
- https://www.shielder.it/advisories/qnap-qcenter-post-auth-remote-code-execution-via-qpkg/
- https://www.shielder.it/advisories/qnap-qcenter-virtual-stored-xss/
- https://www.qnap.com/zh-tw/security-advisory/qsa-21-20
- https://www.shielder.it/advisories/qnap-qcenter-post-auth-remote-code-execution-via-qpkg/
- https://www.shielder.it/advisories/qnap-qcenter-virtual-stored-xss/
