QNAP Methods revealed security advisories for 2 vital command injection vulnerabilities that influence a number of variations of the QTS working system and purposes on its network-attached storage (NAS) gadgets.
The primary flaw is being tracked as CVE-2023-23368 and has a vital severity score of 9.8 out of 10. It’s a command injection vulnerability {that a} distant attacker can exploit to execute instructions by way of a community.
QTS variations affected by the security concern are QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1.
Fixes can be found within the following releases:
- QTS 5.0.1.2376 construct 20230421 and later
- QTS 4.5.4.2374 construct 20230416 and later
- QuTS hero h5.0.1.2376 construct 20230421 and later
- QuTS hero h4.5.4.2374 construct 20230417 and later
- QuTScloud c5.0.1.2374 and later
The second vulnerability is recognized as CVE-2023-23369 and has a decrease severity score of 9.0 and may be exploited by a distant attacker to the identical impact because the earlier one.
Impacted QTS variations embrace 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x, Multimedia Console 2.1.x and 1.4.x, and Media Streaming add-on 500.1.x and 500.0.x.
Fixes can be found in:
- QTS 5.1.0.2399 construct 20230515 and later
- QTS 4.3.6.2441 construct 20230621 and later
- QTS 4.3.4.2451 construct 20230621 and later
- QTS 4.3.3.2420 construct 20230621 and later
- QTS 4.2.6 construct 20230621 and later
- Multimedia Console 2.1.2 (2023/05/04) and later
- Multimedia Console 1.4.8 (2023/05/05) and later
- Media Streaming add-on 500.1.1.2 (2023/06/12) and later
- Media Streaming add-on 500.0.0.11 (2023/06/16) and later
To replace QTS, QuTS hero, or QuTScloud, directors can log in and navigate to Management Panel > System > Firmware Replace, and click on on “Examine for Replace” beneath Dwell Replace to obtain and set up the most recent model. Updates are additionally accessible as handbook downloads from QNAP’s web site.
Updating the Multimedia Console is feasible by on the lookout for the set up within the App Heart and clicking the “Replace” button (accessible provided that a more moderen model exists). The method is analogous for updating the Media Streaming add-on, which customers may also find by looking the App Heart.
Since NAS gadgets are usually used to retailer knowledge, command execution flaws might have a critical influence as cybercriminals are sometimes on the lookout for new targets to steal and/or encrypt delicate knowledge from. Attackers can then demand a ransom from the sufferer to not leak the info or to decrypt it.
QNAP gadgets have been focused up to now in large-scale ransomware assaults. A 12 months in the past, the Deadbolt ransomware gang exploited a zero-day vulnerability to encrypt NAS gadgets uncovered on the general public web.
That stated, QNAP customers are suggested to use the accessible security updates as quickly as attainable.
