November 26, 2024 at 05:33AM
QNAP addressed 24 vulnerabilities in its products, with two critical and nine high-severity flaws identified. The most affected was the Notes Station 3 app. Meanwhile, Veritas disclosed seven critical vulnerabilities in its Enterprise Vault software, with patches expected long-term, raising concerns about security management and response efficiency.
### Meeting Takeaways
1. **QNAP Vulnerabilities:**
– QNAP addressed 24 vulnerabilities in various products, including two critical and nine high-severity flaws.
– Affected features include potential code execution, file read/write, authentication bypass, information disclosure, and elevation of privileges.
– The most affected product is QNAP’s Notes Station 3 (versions 3.9.x), which has critical bugs and two high-severity issues.
– A range of other QNAP products at risk include Photo Station, AI Core, QuLog Center, QuRouter, Media Streaming Add-on, and the QTS/QuTS hero operating systems.
2. **OpenSSH Vulnerabilities:**
– Previous versions of QTS (5.1.x) and QuTS hero (h5.1.x) are vulnerable to older OpenSSH flaws (CVE-2023-38408, CVE-2021-41617, CVE-2020-14145).
– If upgrading to the 5.2 series isn’t feasible, fixes are available for the 5.1 series.
3. **Patch Release Observations:**
– The patches for the vulnerabilities were released on November 23 (Saturday), raising questions about the timing.
– QNAP withdrew a previous QTS firmware update due to user-reported malfunctions and quickly released a stable version.
4. **Veritas Vulnerabilities:**
– A series of seven critical vulnerabilities were disclosed for Veritas Enterprise Vault, with a preliminary CVSSv3 severity rating of 9.8.
– The vulnerabilities, reported in July, relate to the handling of untrusted data via .NET Remoting TCP ports and could allow code execution if exploited.
– Veritas plans to release patches in version 15.2 of the platform, expected in Q3 2025, despite a November 21 deadline for fixes having passed.
5. **Exploitation Risks:**
– Successful exploitation for both QNAP and Veritas vulnerabilities requires specific conditions, including proper privileges and potentially misconfigured firewall settings.
6. **Follow-Up Actions:**
– Await response from QNAP regarding the rationale for Saturday disclosures.
– Seek clarification from Veritas about the delays in patch releases.