November 25, 2024 at 05:18PM
QNAP has issued security bulletins addressing multiple vulnerabilities, including three critical ones in Notes Station 3 and QuRouter. Users are urged to update to the latest versions to mitigate risks. Other products also received important fixes. QNAP advises against direct Internet connections for devices to prevent exploitation.
### Meeting Takeaways:
1. **Critical Vulnerabilities Identified:**
– **QNAP Notes Station 3:**
– **CVE-2024-38643:** Missing authentication for critical functions (CVSS v4 score: 9.3). Remote attackers may gain unauthorized access.
– **CVE-2024-38645:** Server-side request forgery (SSRF) vulnerability that could expose sensitive data with authenticated access.
– **QuRouter 2.4.x Products:**
– **CVE-2024-48860:** OS command injection flaw (CVSS v4 score: 9.5) allowing remote command execution.
– Other vulnerabilities (CVE-2024-38644 and CVE-2024-38646) in Notes Station 3 and two command injection problems in QuRouter were also addressed (high severity, CVSS scores between 8.4 and 8.7).
2. **Recommended Actions:**
– Users of **QNAP Notes Station 3** should update to version 3.9.7 or later.
– Users of **QuRouter** should update to version 2.4.3.106.
– Updates and mitigation instructions are provided in the security bulletins.
3. **Fixes for Other QNAP Products:**
– **QNAP AI Core:** Fixed CVE-2024-38647 (information exposure) in version 3.4.1 and later.
– **QuLog Center:** Fixed CVE-2024-48862 (link-following flaw) in versions 1.7.0.831 and 1.8.0.888.
– **QTS/QuTS Hero:** Resolved CVE-2024-50396 (remote memory manipulation) and CVE-2024-50397 (user-level access) in versions 5.2.1.2930 and h5.2.1.2929, respectively.
4. **Security Recommendations:**
– Customers are urged to install updates promptly to mitigate security risks.
– It is advised that QNAP devices not be directly connected to the Internet and should be used behind a VPN to prevent remote exploitation.
### Conclusion:
QNAP has released critical updates addressing multiple vulnerabilities. Immediate action is necessary to ensure user security by updating affected products.