February 13, 2024 at 03:05PM
QNAP has disclosed and patched two vulnerabilities, including a zero-day, affecting its NAS devices. The severity of the issues is disputed, with QNAP rating one as mid-level and Unit 42 as a critical threat. The vulnerabilities can lead to remote code execution and affect numerous devices, with specific patch recommendations for different firmware versions.
After reviewing the meeting notes, I have extracted the following key takeaways:
1. QNAP, a Taiwanese network-attached storage (NAS) specialist, has disclosed and released fixes for two vulnerabilities, including a zero-day vulnerability discovered in early November.
2. There is conflicting severity assessment between QNAP and Unit 42 by Palo Alto Networks regarding the vulnerabilities. QNAP assigned a middling 5.8-out-of-10 severity score to one of the vulnerabilities, while Unit 42’s assessment described it as a combination of low attack complexity and critical impact.
3. The vulnerabilities, specifically CVE-2023-50358 and CVE-2023-47218, are command injection flaws in the quick.cgi component of QNAP’s QTS firmware, affecting various NAS devices. Unit 42 published a technical breakdown of CVE-2023-50358 and provided details on how to exploit the vulnerability.
4. Germany and the US were identified as the most exposed countries, with over 40,000 vulnerable devices each, while other countries such as China, Italy, Japan, Taiwan, and France also had a significant number of exposed devices.
5. QNAP’s disclosure highlights different patches available for different firmware versions of their products, with specific upgrade recommendations for each version.
6. The vulnerabilities disclosed are the latest in a series of command injection flaws impacting QTS and QuTS firmware, with 15 different security advisories released in the current year alone.
Please let me know if further clarification or additional information is required.