Security
Headlines
HeadlinesLatestCVEs

Headline

QNAP Releases Patch for 2 Critical Flaws Threatening Your NAS Devices

QNAP has released security updates to address two critical security flaws impacting its operating system that could result in arbitrary code execution. Tracked as CVE-2023-23368 (CVSS score: 9.8), the vulnerability is described as a command injection bug affecting QTS, QuTS hero, and QuTScloud. “If exploited, the vulnerability could allow remote attackers to execute commands via a network,” the

The Hacker News
#vulnerability#The Hacker News

Vulnerability / Data Security

QNAP has released security updates to address two critical security flaws impacting its operating system that could result in arbitrary code execution.

Tracked as CVE-2023-23368 (CVSS score: 9.8), the vulnerability is described as a command injection bug affecting QTS, QuTS hero, and QuTScloud.

“If exploited, the vulnerability could allow remote attackers to execute commands via a network,” the company said in an advisory published over the weekend.

The shortcoming spans the below versions -

  • QTS 5.0.x (Fixed in QTS 5.0.1.2376 build 20230421 and later)
  • QTS 4.5.x (Fixed in QTS 4.5.4.2374 build 20230416 and later)
  • QuTS hero h5.0.x (Fixed in QuTS hero h5.0.1.2376 build 20230421 and later)
  • QuTS hero h4.5.x (Fixed in QuTS hero h4.5.4.2374 build 20230417 and later)
  • QuTScloud c5.0.x (Fixed in QuTScloud c5.0.1.2374 and later)

Also fixed by QNAP is another command injection flaw in QTS, Multimedia Console, and Media Streaming add-on (CVE-2023-23369, CVSS score: 9.0) that could allow remote attackers to execute commands via a network.

The following versions of the software are impacted -

  • QTS 5.1.x (Fixed in QTS 5.1.0.2399 build 20230515 and later)
  • QTS 4.3.6 (Fixed in QTS 4.3.6.2441 build 20230621 and later)
  • QTS 4.3.4 (Fixed in QTS 4.3.4.2451 build 20230621 and later)
  • QTS 4.3.3 (Fixed in QTS 4.3.3.2420 build 20230621 and later)
  • QTS 4.2.x (Fixed in QTS 4.2.6 build 20230621 and later)
  • Multimedia Console 2.1.x (Fixed in Multimedia Console 2.1.2 (2023/05/04) and later)
  • Multimedia Console 1.4.x (Fixed in Multimedia Console 1.4.8 (2023/05/05) and later)
  • Media Streaming add-on 500.1.x (Fixed in Media Streaming add-on 500.1.1.2 (2023/06/12) and later)
  • Media Streaming add-on 500.0.x (Fixed in Media Streaming add-on 500.0.0.11 (2023/06/16) and later)

With QNAP devices exploited for ransomware attacks in the past, users running one of the aforementioned versions are urged to update to the latest version to mitigate potential threats.

The development comes weeks after the Taiwanese company disclosed it took down a malicious server used in widespread brute-force attacks targeting internet-exposed network-attached storage (NAS) devices with weak passwords.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

QNAP warns about critical vulnerabilities in NAS systems

Two critical remotely exploitable vulnerabilities in QNAP's network attached storage devices need to be patched. Do it now!

CVE-2023-23368: Vulnerability in QTS, QuTS hero, and QuTScloud - Security Advisory

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later

CVE-2023-23369: Vulnerability in QTS, Multimedia Console, and Media Streaming add-on - Security Advisory

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) and later QTS 5.1.0.2399 build 20230515 and later QTS 4.3.6.2441 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later