NAS manufacturer QNAP is warning customers about critical vulnerabilities that allow attackers to inject and execute commands remotely. Various versions of the QTS operating system and applications on its NAS devices are affected.
The Risk Is High
Updates are already being distributed, so users should urgently check whether they are already up to date. The update is highly recommended – one of the vulnerabilities received a risk rating of 9.8 out of 10.
QNAP devices have been the target of large-scale ransomware attacks several times in the past. A year ago, the Deadbolt ransomware gang exploited a zero-day vulnerability to encrypt NAS devices that were freely accessible on the Internet.
In order to avoid major problems, the following updates are available:
The first vulnerability is known as CVE-2023-23368 and has a critical severity score of 9.8 out of 10. It is a vulnerability that an attacker could exploit to execute commands over a network. The QTS versions affected by the vulnerability are QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1.
Fixes are available in the following versions
- QTS 188.8.131.526 Build 20230421 and later
- QTS 184.108.40.2064 Build 20230416 and later
- QuTS hero h220.127.116.116 Build 20230421 and later
- QuTS hero h18.104.22.1684 Build 20230417 and later
- QuTScloud c22.214.171.1244 and later
The second vulnerability is listed as CVE-2023-23369 and has a severity of 9.0. It could also be exploited by a remote attacker and have the same effect as the first.
The QTS versions 5.1.x, 4.3.6, 4.3.4, 4.3.3 and 4.2.x, Multimedia Console 2.1.x and 1.4.x as well as Media Streaming Add-on 500.1.x and 500.0.x are affected.
Fixes are available in
- QTS 126.96.36.1999 Build 20230515 and later
- QTS 188.8.131.521 Build 20230621 and later
- QTS 184.108.40.2061 Build 20230621 and later
- QTS 220.127.116.110 Build 20230621 and later
- QTS 4.2.6 Build 20230621 and later
- Multimedia Console 2.1.2 (2023/05/04) and later
- Multimedia Console 1.4.8 (2023/05/05) and later
- Media Streaming Add-on 500.1.1.2 (2023/06/12) and later
- Media Streaming Add-in 500.0.0.11 (2023/06/16) and later
To update QTS, QuTS hero, or QuTScloud, you must log in as an administrator and navigate to Control Panel > System > Firmware Update. Click on “Check for update” under “Live Update” to download and install the latest version. Updates are also available as manual downloads from the QNAP website.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.