QNAP warns of vulnerabilities in its NAS software program merchandise, together with QTS, QuTS hero, QuTScloud, and myQNAPcloud, that would enable attackers to entry gadgets.
The Taiwanese Community Hooked up Storage (NAS) machine maker disclosed three vulnerabilities that may result in an authentication bypass, command injection, and SQL injection.
Whereas the final two require the attackers to be authenticated on the goal system, which considerably lessens the chance, the primary (CVE-2024-21899) may be executed remotely with out authentication and is marked as “low complexity.”
The three flaws fastened are the next:
- CVE-2024-21899: Improper authentication mechanisms enable unauthorized customers to compromise the system’s security via the community (remotely).
- CVE-2024-21900: This vulnerability might enable authenticated customers to execute arbitrary instructions on the system by way of a community, doubtlessly resulting in unauthorized system entry or management.
- CVE-2024-21901: This flaw might allow authenticated directors to inject malicious SQL code via the community, doubtlessly compromising the database integrity and manipulating its contents.
The failings affect numerous variations of QNAP’s working programs, together with QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and the myQNAPcloud 1.0.x service.
Customers are beneficial to improve to the next variations, which handle the three flaws:
- QTS 5.1.3.2578 construct 20231110 and later
- QTS 4.5.4.2627 construct 20231225 and later
- QuTS hero h5.1.3.2578 construct 20231110 and later
- QuTS hero h4.5.4.2626 construct 20231225 and later
- QuTScloud c5.1.5.2651 and later
- myQNAPcloud 1.0.52 (2023/11/24) and later
For QTS, QuTS hero, and QuTScloud, customers should log in as directors, navigate to ‘Management Panel > System > Firmware Replace,’ and click on ‘Test for Replace‘ to launch the automated set up course of.
To replace myQNAPcloud, log in as admin, open the ‘App Middle,’ click on on the search field, and kind “myQNAPcloud” + ENTER. The replace ought to seem within the outcomes. Click on on the ‘Replace‘ button to begin.
NAS gadgets usually retailer giant quantities of helpful information for companies and people, together with delicate private data, mental property, and significant enterprise information. On the similar time, they aren’t intently monitored, stay at all times related and uncovered to the web, and could possibly be utilizing outdated OS/firmware.
For all these causes, NAS gadgets are sometimes focused for information theft and extortion.
Some ransomware operations beforehand identified for focusing on QNAP gadgets are DeadBolt, Checkmate, and Qlocker.
These teams have launched quite a few assault waves towards NAS customers, typically leveraging zero-day exploits to breach absolutely patched gadgets.
The very best recommendation for NAS house owners is to at all times maintain your software program replace, and even higher, do not expose a majority of these gadgets to the web.