QNAP warns of critical command injection flaws in QTS OS, apps

QNAP warns of critical command injection flaws in QTS OS, apps

November 6, 2023 at 07:52AM

QNAP Systems has issued security advisories regarding two critical command injection vulnerabilities in its QTS operating system and applications for network-attached storage (NAS) devices. The flaws, tracked as CVE-2023-23368 and CVE-2023-23369, can be exploited remotely by attackers. Multiple QTS versions are affected, but fixes are available for download. Admins are urged to update their systems promptly to mitigate the risk of data breaches and ransomware attacks.

Takeaways from the meeting notes:

1. QNAP Systems has published security advisories for two critical command injection vulnerabilities affecting multiple versions of the QTS operating system and applications on its NAS devices.
2. The first vulnerability (CVE-2023-23368) has a severity rating of 9.8 out of 10. It can be exploited remotely by a attacker to execute commands via a network. Affected versions include QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1. Fixes are available in specific builds of each version.
3. The second vulnerability (CVE-2023-23369) has a severity rating of 9.0. It can also be exploited remotely. Impacted versions include QTS 5.1.x, 4.3.6, 4.3.4, 4.3.3, 4.2.x, Multimedia Console 2.1.x and 1.4.x, and Media Streaming add-on 500.1.x and 500.0.x. Fixes are available in specific builds of each version.
4. Administrators can update QTS, QuTS hero, or QuTScloud by logging in, navigating to Control Panel > System > Firmware Update, and clicking on “Check for Update” under Live Update. Updates can also be manually downloaded from QNAP’s website.
5. Multimedia Console can be updated by searching for the installation in the App Center and clicking the “Update” button if a newer version exists. The same process applies to updating the Media Streaming add-on.
6. NAS devices store sensitive data, making them attractive targets for cybercriminals. Command execution vulnerabilities could lead to data theft or encryption, potentially resulting in ransom demands.
7. QNAP devices have been targeted in large-scale ransomware attacks in the past, so it’s important for users to apply the available security updates promptly.

It is recommended to share these takeaways with relevant stakeholders and distribute the information to QNAP users for prompt action.

Full Article