May 21, 2024 at 12:45PM
QNAP Systems issued patches for multiple vulnerabilities, including CVE-2024-27130, described as an unsafe use of the ‘strcpy’ function in the No_Support_ACL function, leading to a stack buffer overflow and potential remote code execution. QNAP advised users to update to QTS 5.1.7 to mitigate the risk and address multiple other vulnerabilities. WatchTowr disclosed a total of 15 vulnerabilities in QNAP’s devices in the past half-year.
Based on the meeting notes, here are the key takeaways:
– QNAP Systems has released patches for multiple vulnerabilities in its NAS devices, including CVE-2024-27130, which became a concern after proof-of-concept code was published last week.
– The vulnerability, related to the unsafe use of the ‘strcpy’ function in the No_Support_ACL function, can lead to a stack buffer overflow and remote code execution. Successful exploitation requires the attacker to obtain the ‘ssid’ parameter generated when a file is shared.
– The release of QTS 5.1.7.2770 and QuTS hero h5.1.7.2770 includes patches for CVE-2024-27130 and four other vulnerabilities reported by WatchTowr.
– QNAP urges users to update to QTS 5.1.7 / QuTS hero h5.1.7 as soon as possible to ensure their systems are protected, as threat actors have exploited QNAP vulnerabilities for which patches were released.
Let me know if you need any further details or if there’s anything else I can assist you with.