QNAP warns of vulnerabilities in its NAS software program merchandise, together with QTS, QuTS hero, QuTScloud, and myQNAPcloud, that might enable attackers to entry gadgets.
The Taiwanese Community Hooked up Storage (NAS) machine maker disclosed three vulnerabilities that may result in an authentication bypass, command injection, and SQL injection.
Whereas the final two require the attackers to be authenticated on the goal system, which considerably lessens the chance, the primary (CVE-2024-21899) could be executed remotely with out authentication and is marked as “low complexity.”
The three flaws fastened are the next:
- CVE-2024-21899: Improper authentication mechanisms enable unauthorized customers to compromise the system’s safety by the community (remotely).
- CVE-2024-21900: This vulnerability might enable authenticated customers to execute arbitrary instructions on the system by way of a community, probably resulting in unauthorized system entry or management.
- CVE-2024-21901: This flaw might allow authenticated directors to inject malicious SQL code by the community, probably compromising the database integrity and manipulating its contents.
The failings impression varied variations of QNAP’s working techniques, together with QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and the myQNAPcloud 1.0.x service.
Customers are really useful to improve to the next variations, which tackle the three flaws:
- QTS 5.1.3.2578 construct 20231110 and later
- QTS 4.5.4.2627 construct 20231225 and later
- QuTS hero h5.1.3.2578 construct 20231110 and later
- QuTS hero h4.5.4.2626 construct 20231225 and later
- QuTScloud c5.1.5.2651 and later
- myQNAPcloud 1.0.52 (2023/11/24) and later
For QTS, QuTS hero, and QuTScloud, customers should log in as directors, navigate to ‘Management Panel > System > Firmware Replace,’ and click on ‘Test for Replace‘ to launch the automated set up course of.
To replace myQNAPcloud, log in as admin, open the ‘App Middle,’ click on on the search field, and sort “myQNAPcloud” + ENTER. The replace ought to seem within the outcomes. Click on on the ‘Replace‘ button to begin.
NAS gadgets usually retailer giant quantities of beneficial information for companies and people, together with delicate private info, mental property, and significant enterprise information. On the similar time, they don’t seem to be carefully monitored, stay at all times related and uncovered to the web, and might be utilizing outdated OS/firmware.
For all these causes, NAS gadgets are sometimes focused for information theft and extortion.
Some ransomware operations beforehand identified for focusing on QNAP gadgets are DeadBolt, Checkmate, and Qlocker.Â
These teams have launched quite a few assault waves in opposition to NAS customers, typically leveraging zero-day exploits to breach totally patched gadgets.
The perfect recommendation for NAS homeowners is to at all times preserve your software program replace, and even higher, do not expose some of these gadgets to the web.