Headline
CVE-2021-38693: Path Traversal Vulnerability in thttpd - Security Advisory
A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
<< Back to Security Advisory List
- Release date: May 6, 2022
- Security ID: QSA-22-13
- Severity: Medium
- CVE identifier: CVE-2021-38693
- Affected products: Certain QNAP NAS
- Status: Resolved
Summary
A path traversal vulnerability in thttpd has been reported to affect QNAP devices running QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows attackers to access and read sensitive data.
We have already fixed this vulnerability in the following versions of QTS, QuTS hero, and QuTScloud:
- QTS 5.0.0.1986 build 20220324 and later
- QTS 4.5.4.1991 build 20220329 and later
- QuTS hero h5.0.0.1949 build 20220215 and later
- QuTS hero h4.5.4.1951 build 20220218 and later
- QuTScloud c5.0.1.1949
Recommendation
To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.
Updating QTS, QuTS hero, or QuTScloud
- Log on to QTS, QuTS hero, or QuTScloud as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
Acknowledgements:
Guido Giles and Iury Simas from Thomson Reuters
Rafay Baloch, Hammad Shamsi And Muhammad Samak from Cyber Citadel
Qualys
Revision History: V1.0 (May 6, 2022) - Published
Related news
This vulnerability arises because the application allows the user to perform some sensitive action without verifying that the request was sent intentionally. An attacker can cause a victim's browser to emit an HTTP request to an arbitrary URL in the application.
The BigFix Console installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed.
An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. An authenticated Sametime chat user could cause Remote Code Execution on another chat client by sending a specially formatted message through chat containing Javascript code.
An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
An improper authentication vulnerability has been reported to affect QNAP device running Video Station. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of Video Station: Video Station 5.5.9 and later Video Station 5.3.13 and later Video Station 5.1.8 and later
An improper authentication vulnerability has been reported to affect QNAP device running Photo Station. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of Photo Station: Photo Station 6.0.20 ( 2022/02/15 ) and later Photo Station 5.7.16 ( 2022/02/11 ) and later Photo Station 5.4.13 ( 2022/02/11 ) and later