CVE-2021-38685 – This is a critical command injection vulnerabil... (How to Fix)

Q: What is the severity of CVE-2021-38685?

CVE-2021-38685 has a CVSS score of 9.8 (CRITICAL). This is a critical command injection vulnerability in QNAP VioStor devices that allows remote attackers to execute arbitrary commands on affected systems. It affects QVR firmware versions before 5.1.6 build 20211109. Attackers can potentially gain complete control of vulnerable devices.

📋 TL;DR

This is a critical command injection vulnerability in QNAP VioStor devices that allows remote attackers to execute arbitrary commands on affected systems. It affects QVR firmware versions before 5.1.6 build 20211109. Attackers can potentially gain complete control of vulnerable devices.

💻 Affected Systems

Products:

QNAP VioStor NVR devices running QVR

Versions: All versions before QVR FW 5.1.6 build 20211109

Operating Systems: QTS (QNAP Turbo NAS System)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects QVR firmware specifically; other QNAP products may not be affected. Devices with remote access enabled are at highest risk.

📦 What is this software?

Qvr by Qnap

View all CVEs affecting Qvr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, exfiltrate data, pivot to internal networks, or use the device for cryptocurrency mining or DDoS attacks.

🟠

Likely Case

Remote code execution leading to data theft, surveillance system compromise, or ransomware deployment on affected QNAP devices.

🟢

If Mitigated

Limited impact if devices are behind firewalls with restricted network access and proper segmentation.

🌐 Internet-Facing: HIGH - QNAP devices are often exposed to the internet for remote access, making them prime targets for automated exploitation.

🏢 Internal Only: MEDIUM - Still significant risk from internal threats or attackers who have breached perimeter defenses.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Command injection vulnerabilities are typically easy to exploit once details are known. Given the high CVSS score and QNAP's popularity, exploitation is likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: QVR FW 5.1.6 build 20211109 and later

Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-21-51

Restart Required: Yes

Instructions:

1. Log into QNAP device admin interface. 2. Navigate to Control Panel > System > Firmware Update. 3. Check for updates and install QVR FW 5.1.6 build 20211109 or later. 4. Reboot the device after installation.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to QNAP devices to prevent remote exploitation

Disable Remote Access

all

Turn off external access features if not required

🧯 If You Can't Patch

Isolate affected devices in a separate VLAN with strict firewall rules
Implement network monitoring and intrusion detection for suspicious command execution attempts

🔍 How to Verify

Check if Vulnerable:

Check QVR firmware version in QNAP admin interface under Control Panel > System > Firmware Update

Check Version:

ssh admin@qnap-device 'cat /etc/config/uLinux.conf | grep version'

Verify Fix Applied:

Confirm firmware version is 5.1.6 build 20211109 or later in the same interface

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Suspicious process creation from web services
Failed authentication attempts followed by command execution

Network Indicators:

Unusual outbound connections from QNAP devices
Command and control traffic patterns
Exploit kit traffic to QNAP web interfaces

SIEM Query:

source="qnap_logs" AND (process="*sh" OR process="*bash" OR cmd="*;*" OR cmd="*|*") AND user="httpd" OR user="www-data"

📊 Metadata

CVE ID: CVE-2021-38685

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: November 26, 2021

Last Updated: November 21, 2024

🔗 References

https://www.qnap.com/en/security-advisory/qsa-21-51 Vendor Advisory
https://www.qnap.com/en/security-advisory/qsa-21-51 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38685, you might also want to check these: