There are security gaps in Qnap’s QTS, QuTS hero and QuTScloud operating systems through which attackers can inject commands. Updated firmware corrects security-related errors.
Advertisement
The most serious gap allowed logged in users from the network to execute commands (CVE-2023-23362, no CVSS value yet, risk according to Qnap “high“). Two more weak pointswhich allows writing outside of intended memory limits, allows authenticated attackers from the network to cripple devices with a denial of service attack (CVE-2023-23358, CVE-2023-23359, no CVSS value, “medium“).
Qnap: Three security reports about gaps
One third security warning from Qnap concerns NULL pointer dereferences that allow malicious authenticated actors from the network to carry out denial of service attacks (CVE-2023-23360, CVE-2023-23361, no CVSS value, “medium“).
The updated operating systems in the following or newer versions seal the security leaks:
- QTS 5.0.1.2376 Build 20230421
QTS 4.5.4.2374 Build 20230416
QuTS hero h5.0.1.2376 Build 20230421
QuTS hero h4.5.4.2374 Build 20230417
QuTScloud c5.0.1.2374
The updates can be initiated in the device user interface. This can be done in the control panel under “System” – “Firmware Update” under “Live Update” by clicking on “Check for Update”. The images can also be updated for a manual update Enter the model number in the download center download.
Qnap last updated the operating systems at the end of August. The new versions corrected encryption that was too weak.
(dmk)