Headline
CVE-2021-44054: Multiple Vulnerabilities in QTS, QuTS hero, and QuTScloud - Security Advisory
An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
<< Back to Security Advisory List
- Release date: May 6, 2022
- Security ID: QSA-22-16
- Severity: High
- CVE identifier: CVE-2021-44051 | CVE-2021-44052 | CVE-2021-44053 | CVE-2021-44054
- Affected products: Certain QNAP NAS
- Status: Resolved
Summary
Multiple vulnerabilities have been reported to affect QTS, QuTS hero, and QuTScloud:
CVE-2021-44051: Command injection vulnerability
- If exploited, this vulnerability allows remote attackers to run arbitrary commands.
CVE-2021-44052: Improper link resolution before file access (“link following”) vulnerability
- If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite files.
CVE-2021-44053: Cross-site scripting (XSS) vulnerability
- If exploited, this vulnerability allows remote attackers to inject malicious code.
CVE-2021-44054: Open redirect vulnerability
- If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware.
We have already fixed the vulnerabilities in the following versions of QTS, QuTS hero, and QuTScloud:
- QTS 5.0.0.1986 build 20220324 and later
- QTS 4.5.4.1991 build 20220329 and later
- QTS 4.3.6.1965 build 20220302 and later
- QTS 4.3.4.1976 build 20220303 and later
- QTS 4.3.3.1945 build 20220303 and later
- QTS 4.2.6 build 20220304 and later
- QuTS hero h5.0.0.1986 build 20220324 and later
- QuTS hero h4.5.4.1971 build 20220310 and later
- QuTScloud c5.0.1.1998 and later
Recommendation
To fix the vulnerabilities, we recommend updating your QNAP operating system to one of the above versions or later.
Updating QTS, QuTS hero, or QuTScloud
- Log on to QTS, QuTS hero, or QuTScloud as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
Acknowledgements: Enio Pena Navarro and Michael Messner from Siemens Energy AG
Revision History: V1.0 (May 6, 2022) - Published
Related news
This vulnerability arises because the application allows the user to perform some sensitive action without verifying that the request was sent intentionally. An attacker can cause a victim's browser to emit an HTTP request to an arbitrary URL in the application.
The BigFix Console installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed.
An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. An authenticated Sametime chat user could cause Remote Code Execution on another chat client by sending a specially formatted message through chat containing Javascript code.
An improper authentication vulnerability has been reported to affect QNAP device running Video Station. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of Video Station: Video Station 5.5.9 and later Video Station 5.3.13 and later Video Station 5.1.8 and later
An improper authentication vulnerability has been reported to affect QNAP device running Photo Station. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of Photo Station: Photo Station 6.0.20 ( 2022/02/15 ) and later Photo Station 5.7.16 ( 2022/02/11 ) and later Photo Station 5.4.13 ( 2022/02/11 ) and later
A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later