Critical Vulnerability Allows Access to QNAP NAS Devices

Critical Vulnerability Allows Access to QNAP NAS Devices

March 11, 2024 at 10:03AM

Over the weekend, Taiwan-based QNAP Systems announced patches for critical vulnerabilities in several products, such as QTS, QuTS hero, and QuTScloud. The flaws could enable unauthenticated access to network-attached storage (NAS) devices. CVE-2024-21899 poses a high risk, while CVE-2024-21900 and CVE-2024-21901 present medium risks, requiring authentication for exploitation. QNAP also revealed patches for other medium-severity vulnerabilities.

Based on the meeting notes, here are the key takeaways:

– QNAP Systems has announced patches for multiple vulnerabilities affecting its products, including a critical-severity bug (CVE-2024-21899) leading to unauthenticated device access.
– The vulnerability impacts QNAP’s QTS, QuTS hero, and QuTScloud products, exposing network-attached storage (NAS) devices to unauthenticated access.
– The release of QTS 5.1.3.2578 build 20231110 and 4.5.4.2627 build 20231225, QuTS hero h5.1.3.2578 build 20231110 and h4.5.4.2626 build 20231225, and QuTScloud c5.1.5.2651 addresses the critical vulnerability.
– QNAP also addressed two medium-severity vulnerabilities (CVE-2024-21900 and CVE-2024-21901) in QTS, QuTS hero, QuTScloud, and myQNAPcloud.
– Additionally, patches were announced for several other medium-severity vulnerabilities in QuMagie Mobile, QTS, QuTS hero, QuTScloud, and Photo Station.
– QNAP emphasized that there have been no reports of these vulnerabilities being exploited in attacks.
– QNAP is known for its NAS and professional network video recorder (NVR) products and is aware that threat actors often exploit its product vulnerabilities in attacks.

Full Article