With updated firmware, Qnap closes a critical security gap in network storage devices with QTS and QuTS hero operating systems. Attackers could inject and execute their own code through the vulnerability, the company explains.
Any further details on the vulnerability are missing from Qnap’s security advisory. However, the security-related error affects the NAS operating systems QTS 5.0.1 and QuTS hero h5.0.1. The manufacturer classifies the severity as critical a, with a CVSS score of 9.8.
The CVE entry for the vulnerability has been given the number CVE-2022-27596. The CVE entry notes that the vulnerability is due to insufficient filtering of specific elements used in an SQL command. The explanation is based on the scheme of the Common Weakness Enumeration (CWE), the vulnerability type has been given the number CWE-89. The security notification also does not name a specific attack vector for how malicious actors can exploit the vulnerability.
Qnap NAS: Updates
The updates to version QTS 5.0.1.2234 Build 20221201 such as QuTS hero h5.0.1.2248 Build 20221215 should stop the security leak. Administrators can find these by searching for their NAS model on Qnap’s support status website.
Alternatively, administrators can also search for the firmware update directly on the affected devices in the Control Panel under “System”-“Firmware Update” under “Live Update” by clicking on “Check for Update” and have it installed immediately. Qnap recently attracted attention due to a critical vulnerability in the optionally installable component Photo Station, through which the DeadBolt ransomware spread.
(dmk)
To home page
