Attackers can attack various network storage models from Qnap and, among other things, access files without authorization. In contrast, the provider of network solutions has now made security patches available for download.
Advertisement
Patch now!
Two of the closed vulnerabilities (CVE-2023-51364 “high“, CVE-2023-51365 “high“) come from the hacker competition Pwn2Own 2023. Qnap writes in a warning messagethat attackers can access closed folders in the course of a path traversal attack in order to be able to disclose sensitive data in the network. How such an attack could take place in detail is still unclear.
NAS device owners should make sure in the settings that at least one of the following versions of the QTS, QuTS hero or QuTScloud operating systems is installed:
- QTS 5.1.4.2596 build 20231128
- QTS 4.5.4.2627 build 20231225
- QuTS hero h5.1.3.2578 build 20231110
- QuTS hero h4.5.4.2626 build 20231225
- QuTScloud c5.1.5.2651
More gaps
In addition, attackers can exploit a vulnerability (CVE-2023-47222 “high“) in the media streaming add-on. If such an attack works, security mechanisms can be bypassed. The edition 500.1.1.5 (2024/01/22) is prepared against it.
There are also add-ons QuFirewall and Squid vulnerable. In the case of QuFirewall, an attacker must already be an admin in order to be able to leak data during an attack. Version 2.4.1 (2024/02/01) provides a remedy here. With Squid, the proxy server is vulnerable. At this point the developers have identified the vulnerabilities (CVE-2023-5824 “medium“, CVE-2023-46724 “medium“, CVE-2023-46846 “medium“, CVE-2023-46847) in issue 1.4.6 closed.
(of)