Over the weekend, Qnap published warnings about some critical security gaps in the QTS, QuTS Hero and QuTScloud operating systems. Attackers could therefore compromise vulnerable systems from within the network. But there are also security leaks in additional software.
Advertisement
Qnap has issued a total of five security notices. The most serious includes three vulnerabilities in the NAS operating systems. Inappropriate authentication allows cyber attackers to compromise systems (CVE-2024-21899, CVSS 9.8Risk “critical“). Logged in administrators can inject malicious code into myQNAPcloud through an SQL injection hole (CVE-2024-21901, CVSS 4.7, medium) and authenticated users can execute commands over the network (CVE-2024-21900, CVSS 4.3, medium).
Multiple Qnap OS security warnings
Another warning from the weekend affects the same operating systems. Logged in administrators can inject commands into the operating system via the network – the assessment of CVE-2023-34975 sees Qnap with CVSS 6.6 as medium Risk while the NIST with CVSS 8.8 a critical risk is considered to have been narrowly missed and the threat as hoch classified. A second similar vulnerability achieves a slightly lower CVSS score (CVE-2023-34980, CVSS 5.9, medium).
There is also a cross-site scripting vulnerability in Network and Virtual Switch of QTS, QuTS Hero and QuTScloud (CVE-2023-32969, CVSS 4.9, medium). Qnap also reports several vulnerabilities in the jackson-databind component of the QuMagie Mobile for Android app. Additionally, a path traversal vulnerability in Photo Station allows authenticated administrators to gain unauthorized access to files or sensitive information (CVE-2023-47221, CVSS 5.3, medium).
Updated firmware has been available since the end of last year, which seals the security gaps that have only just been reported. Qnap owners should ensure at least the version levels
- QTS 5.1.4.2596 Build 20231128
- QTS 5.1.3.2578 Build 20231110
- QTS 4.5.4.2627 Build 20231225
- QuTS Hero h5.1.4.2596 Build 20231128
- QuTS Hero h5.1.3.2578 Build 20231110
- QuTS Hero h4.5.4.2626 Build 20231225
- QuTScloud c5.1.5.2651
- QuTScloud c5.1.0.2498 Build 20230822
- myQNAPcloud 1.0.52 (2023/11/24)
- Photo Station 6.4.2 (2023/12/15)
- QuMagie Mobile 2.2.0.0126 for Android
or use newer versions on your devices.
About a month ago, Qnap also closed several security gaps in the NAS operating systems QTS, QuTS Hero and QuTScloud. They allowed commands to be smuggled in over the network.
(dmk)