May 22, 2024 at 01:33AM
QNAP has addressed medium-severity security flaws in its QTS and QuTS hero, including permissions, code execution, and buffer overflow vulnerabilities. Fixes have been released, credited to Aliz Hammond of watchTowr Labs. Although some issues remain outstanding, QNAP has committed to improving coordination with researchers and enhancing security measures for its products. Users are advised to update to the latest software versions promptly.
After reviewing the meeting notes, here are the clear takeaways:
1. QNAP has addressed a set of medium-severity vulnerabilities that impact QTS and QuTS hero. These vulnerabilities include incorrect permission assignment, double free, and buffer overflow flaws, which could be exploited by authenticated users to execute arbitrary code via a network.
2. The patches for these vulnerabilities have been included in QTS 5.1.7.2770 build 20240520 and QuTS hero h5.1.7.2770 build 20240520. Aliz Hammond of watchTowr Labs is credited with discovering and reporting these flaws.
3. It’s noted that QNAP has yet to release fixes for CVE-2024-27131, which involves “Log spoofing via x-forwarded-for” and is expected to be remediated in QTS 5.2.0.
4. QNAP has committed to improving its security measures by addressing high- or critical-severity flaws within 45 days, and medium-severity vulnerabilities within 90 days. They aim to work closely with researchers to ensure the highest quality of security for their products.
5. Users of QNAP NAS devices are advised to update to the latest versions of QTS and QuTS hero to mitigate potential threats, especially considering past ransomware attacks that have exploited vulnerabilities in these devices.
These takeaways provide a clear understanding of the vulnerabilities, their patches, and QNAP’s commitment to enhancing security.