Qnap has published several security reports warning of vulnerabilities in the QTS operating system and the Mutlimedia Console. Updated software to close the gaps is available. Administrators of Qnap devices should ensure that they use the latest versions of the firmware.
Advertisement
One gap affects the “legacy” QTS operating systems. Copying a buffer without first checking the size of the input can be misused by malicious actors to inject and execute malicious code. However, Qnap does not explain what this looks like and where this copying action takes place (CVE-2023-23363, CVSS 8.1, risk “high”).
Qnap: Vulnerabilities due to copying without length checks
The second vulnerability is also a potential buffer overflow due to missing length checks during copy processes. Here too, attackers may be able to inject and execute arbitrary code, although the manufacturer does not provide any information about potential attack vectors (CVE-2023-23364, CVSS 8.1, high).
The vulnerabilities in the Qnap operating system QTS are patched with updates to versions QTS 4.3.6.2441 Build 20230621, QTS 4.3.4.2451 Build 20230621, QTS 4.3.3.2420 Build 20230621 and QTS 4.2.6 Build 20230621 and newer versions. These are from the end of June. If you haven’t installed it yet, you should do so now. The error is not found in QTS 5.x, 4.5.x, 4.4.x and QuTS hero, the Qnap authors add.
Versions of the Multimedia Console 1.4.7 and 2.1.1 close the gaps in this additional software. They have been available since the end of March. Here too, those affected should apply the update quickly.
If necessary, the updates can be initiated in the device user interface. In the control panel under “System” – “Firmware Update” clicking on “Check for Update” under “Live Update” initiates the process. For a manual update, the updates can also be downloaded in the download center after entering the model number.
At the beginning of the week, Qnap warned of vulnerabilities in the QTS, QuTS hero and QuTScloud operating systems. They also allowed attackers to inject and execute malicious code.
(dmk)
To the home page
#Qnap #warns #code #smuggling #vulnerabilities
