Article Details
Scrape Timestamp (UTC): 2023-11-06 12:49:00.828
Original Article Text
Click to Toggle View
QNAP warns of critical command injection flaws in QTS OS, apps. QNAP Systems published security advisories for two critical command injection vulnerabilities that impact multiple versions of the QTS operating system and applications on its network-attached storage (NAS) devices. The first flaw is being tracked as CVE-2023-23368 and has a critical severity rating of 9.8 out of 10. It is a command injection vulnerability that a remote attacker can exploit to execute commands via a network. QTS versions affected by the security issue are QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1. Fixes are available in the following releases: The second vulnerability is identified as CVE-2023-23369 and has a lower severity rating of 9.0 and could also be exploited by a remote attacker to the same effect as the previous one. Impacted QTS versions include 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x, Multimedia Console 2.1.x and 1.4.x, and Media Streaming add-on 500.1.x and 500.0.x. Fixes are available in: To update QTS, QuTS hero, or QuTScloud, administrators can log in and navigate to Control Panel > System > Firmware Update, and click on "Check for Update" under Live Update to download and install the latest version. Updates are also available as manual downloads from QNAP's website. Updating the Multimedia Console is possible by looking for the installation in the App Center and clicking the "Update" button (available only if a newer version exists). The process is similar for updating the Media Streaming add-on, which users can also locate by searching the App Center. Since NAS devices are typically used to store data, command execution flaws could have a serious impact as cybercriminals are often looking for new targets to steal and/or encrypt sensitive data from. Attackers can then demand a ransom from the victim to not leak the data or to decrypt it. QNAP devices have been targeted in the past in large-scale ransomware attacks. A year ago, the Deadbolt ransomware gang exploited a zero-day vulnerability to encrypt NAS devices exposed on the public internet. That said, QNAP users are advised to apply the available security updates as soon as possible.
Daily Brief Summary
QNAP Systems issued advisories around two critical command injection vulnerabilities that are present in multiple versions of the QTS operating system and associated apps on its network-attached storage (NAS) devices.
The first vulnerability, tracked as CVE-2023-23368, has a critical severity rating of 9.8 out of 10 and is exploitable by remote attackers. Affected versions are QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1.
The second flaw, identified as CVE-2023-23369, is rated with lower criticality (9.0) and can be leveraged to similar effect by remote attackers. Impacted versions are QTS 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x, plus the Multimedia Console 2.1.x and 1.4.x, and the Media Streaming add-on 500.1.x and 500.0.x.
Remediation for both of these vulnerabilities is available and involves updating the QTS, QuTS hero and QuTScloud systems. Instructions have also been provided for updating the Multimedia Console and the Media Streaming add-on.
QNAP advised users to apply the patches swiftly due to the potential severity of the flaws
NAS devices are typically used to store data, hence these vulnerabilities could potentially allow cybercriminals to steal or encrypt sensitive data. QNAP has been targeted in the past by ransomware attacks, notably by the Deadbolt ransomware gang.