QNAP warns of critical auth bypass flaw in its NAS devices

QNAP warns of critical auth bypass flaw in its NAS devices

March 8, 2024 at 03:07PM

QNAP has warned of vulnerabilities in its NAS software, including QTS, QuTS hero, QuTScloud, and myQNAPcloud, which could grant unauthorized access to devices. The flaws include an authentication bypass, command injection, and SQL injection, affecting various operating systems. Users are advised to upgrade to specific versions to address the vulnerabilities and follow the recommended update procedures. NAS devices are often targeted for data theft and extortion, as they store valuable data and may not have updated OS/firmware. Previous ransomware operations like DeadBolt, Checkmate, and Qlocker have targeted QNAP devices, sometimes using zero-day exploits.

Based on the meeting notes, the key takeaways are:

1. QNAP has disclosed three vulnerabilities in its NAS software products – QTS, QuTS hero, QuTScloud, and myQNAPcloud – which could allow unauthorized access to devices, including an authentication bypass, command injection, and SQL injection.

2. The vulnerabilities impact various versions of the operating systems, including QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and myQNAPcloud 1.0.x service.

3. Users are advised to upgrade to specific versions that address the three vulnerabilities and follow specific steps to update their systems.

4. NAS devices are often targeted for data theft and extortion, and groups like DeadBolt, Checkmate, and Qlocker have previously targeted QNAP devices, sometimes using zero-day exploits.

If there are any additional details or specific formatting required, feel free to let me know!

Full Article