Sign-up

ID

VAR-201708-0874


CVE

CVE-2017-12582


TITLE

QNAP TS-212P Vulnerabilities related to authorization, authority, and access control in device firmware

Trust: 0.8

sources: JVNDB: JVNDB-2017-007247

DESCRIPTION

Unprivileged user can access all functions in the Surveillance Station component in QNAP TS212P devices with firmware 4.2.1 build 20160601. Unprivileged user cannot login at front end but with that unprivileged user SID, all function can access at Surveillance Station. QNAP TS-212P Device firmware contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QNAPTS212Pdevices is a NAS storage device from QNAP Systems. SurveillanceStationcomponent is one of the image management components. A security vulnerability exists in the SurveillanceStation component of the QNAPTS212P device using firmware version 4.2.1build20160601. An attacker could exploit this vulnerability to access all functions. QNAP Surveillance Station is prone to an authentication-bypass vulnerability. Attackers may exploit this issue to gain unauthorized access or bypass intended security restrictions. Qnap TS212P Firmware 4.2.1 build 20160601 is vulnerable; other versions may also be affected

Trust: 2.52

sources: NVD: CVE-2017-12582 // JVNDB: JVNDB-2017-007247 // CNVD: CNVD-2017-30008 // BID: 100884 // VULHUB: VHN-103119

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-30008

AFFECTED PRODUCTS

vendor:qnapmodel:ts-212pscope:eqversion:4.2.1

Trust: 1.6

vendor:qnapmodel:ts-212pscope:eqversion:4.2.1 build 20160601

Trust: 0.8

vendor:qnapmodel:systems ts212p buildscope:eqversion:4.2.120160601

Trust: 0.6

vendor:qnapmodel:ts212p buildscope:eqversion:4.2.120160601

Trust: 0.3

sources: CNVD: CNVD-2017-30008 // BID: 100884 // JVNDB: JVNDB-2017-007247 // CNNVD: CNNVD-201708-169 // NVD: CVE-2017-12582

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12582
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-12582
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2017-30008
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201708-169
value: CRITICAL

Trust: 0.6

VULHUB: VHN-103119
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-12582
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-30008
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-103119
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-12582
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-30008 // VULHUB: VHN-103119 // JVNDB: JVNDB-2017-007247 // CNNVD: CNNVD-201708-169 // NVD: CVE-2017-12582

PROBLEMTYPE DATA

problemtype:CWE-862

Trust: 1.1

problemtype:CWE-264

Trust: 0.9

sources: VULHUB: VHN-103119 // JVNDB: JVNDB-2017-007247 // NVD: CVE-2017-12582

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-169

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201708-169

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007247

PATCH
title:TS-212Purl:https://www.qnap.com/en-us/product/model.php?II=117
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-007247

EXTERNAL IDS
db:NVDid:CVE-2017-12582
Trust: 3.4
db:JVNDBid:JVNDB-2017-007247
Trust: 0.8
db:CNNVDid:CNNVD-201708-169
Trust: 0.7
db:CNVDid:CNVD-2017-30008
Trust: 0.6
db:BIDid:100884
Trust: 0.4
db:VULHUBid:VHN-103119
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-30008 // 
            
            
            
            VULHUB: VHN-103119 // 
            
            
            
            BID: 100884 // 
            
            
            
            JVNDB: JVNDB-2017-007247 // 
            
            
            
            CNNVD: CNNVD-201708-169 // 
            
            
            
            NVD: CVE-2017-12582

REFERENCES
url:http://www.kth.ninja/2017/08/qnap-surveillance-station.html
Trust: 3.4
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12582
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-12582
Trust: 0.8
url:https://www.qnap.com/en/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-30008 // 
            
            
            
            VULHUB: VHN-103119 // 
            
            
            
            BID: 100884 // 
            
            
            
            JVNDB: JVNDB-2017-007247 // 
            
            
            
            CNNVD: CNNVD-201708-169 // 
            
            
            
            NVD: CVE-2017-12582

CREDITS
Kyaw Thiha
Trust: 0.3
sources:
            
            
            BID: 100884

SOURCES
db:CNVDid:CNVD-2017-30008
db:VULHUBid:VHN-103119
db:BIDid:100884
db:JVNDBid:JVNDB-2017-007247
db:CNNVDid:CNNVD-201708-169
db:NVDid:CVE-2017-12582

LAST UPDATE DATE
2025-04-20T23:35:47.484000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-30008date:2017-10-13T00:00:00
db:VULHUBid:VHN-103119date:2019-10-03T00:00:00
db:BIDid:100884date:2017-08-18T00:00:00
db:JVNDBid:JVNDB-2017-007247date:2017-09-14T00:00:00
db:CNNVDid:CNNVD-201708-169date:2019-10-23T00:00:00
db:NVDid:CVE-2017-12582date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-30008date:2017-10-13T00:00:00
db:VULHUBid:VHN-103119date:2017-08-18T00:00:00
db:BIDid:100884date:2017-08-18T00:00:00
db:JVNDBid:JVNDB-2017-007247date:2017-09-14T00:00:00
db:CNNVDid:CNNVD-201708-169date:2017-08-07T00:00:00
db:NVDid:CVE-2017-12582date:2017-08-18T16:29:00.373