Headline
CVE-2021-28805: Inclusion of Sensitive Information in QSS - Security Advisory
Inclusion of sensitive information in the source code has been reported to affect certain QNAP switches running QSS. If exploited, this vulnerability allows attackers to read application data. This issue affects: QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108-2C; versions prior to 1.0.3 build 20210505 on QSW-M2108-2S; versions prior to 1.0.3 build 20210505 on QSW-M2108R-2C; versions prior to 1.0.12 build 20210506 on QSW-M408.
<< Back to Security Advisory List
- Release date: June 11, 2021
- Security ID: QSA-21-24
- Severity: High
- CVE identifier: CVE-2021-28805
- Affected products: Certain QNAP Switches
- Status: Resolved
Summary
Inclusion of sensitive information in the source code has been reported to affect certain QNAP switches running QSS. If exploited, this vulnerability allows attackers to read application data.
We have already fixed this vulnerability in the following versions:
- QSW-M2108-2C: QSS 1.0.3 build 20210505 and later
- QSW-M2108-2S: QSS 1.0.3 build 20210505 and later
- QSW-M2108R-2C: QSS 1.0.3 build 20210505 and later
- QSW-M408: QSS 1.0.12 build 20210506 and later
Recommendation
To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes.
Updating QSS
- Log on to QSS.
- Go to System > Firmware Update > Live Update.
- Click Check for Update.
QSS checks for available firmware updates. - Click Update System.
A confirmation message appears. - Click Update. QSS downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
Acknowledgements: Jan Hoff
Revision History: V1.0 (June 11, 2021) - Published