QNAP issued emergency security advisories over the weekend, addressing multiple vulnerabilities and prioritizing remediation for three critical severity flaws that require prompt attention from customers.
A critical vulnerability has been identified in QNAP Notes Station 3, a note-taking and collaboration tool utilized by the agency’s Network-Attached Storage (NAS) solutions. The flaw, affecting subsequent versions of this software, poses significant risks if left unaddressed.
- Without proper authentication for critical functions, remote attackers may exploit vulnerabilities to gain unauthorized access and leverage specific system features. The lack of robust authentication methods allows attackers to exploit the vulnerability without prior authorization, thereby posing a significant risk of system compromise? (CVSS v4 rating: 9.3, “crucial”)
- A server-side request forgery vulnerability exists, potentially enabling remote attackers with valid credentials to craft malicious requests that manipulate server-side behavior, thereby compromising sensitive data exposure.
QNAP has addressed these issues in Notes Station 3 model 3.9.7, advising customers to upgrade to this version or a later one to minimize potential risks. Directions on updating are .
Two identical bulletins report opposite vulnerabilities, both with a high severity rating (CVSS v4: 8.7 and 8.4), namely unauthorised command injection and data input vulnerabilities that necessitate user-level access for exploitation.
QuRouter flaws
QNAP has addressed a third critical vulnerability discovered on Saturday, specifically affecting QuRouter 2.4.x products, its range of high-performance and secure routers.
A critical vulnerability, classified as 9.5 out of 10 for its severity, has been identified, and according to the Common Vulnerability Scoring System version 4, it’s considered a crucial issue. Specifically, this OS command injection flaw allows remote attackers to execute arbitrary instructions on the host system.
QNAP has acknowledged a second, albeit less severe, command injection vulnerability, designated as CVE-2021-29631, affecting the QuRouter model 2.4.3.106.
Different QNAP fixes
Merchandise that received critical updates over the weekend include AI-powered engines, log management tools, enhanced operating systems for network-attached storage devices, and upgraded versions of QTS.
Multiple critical vulnerabilities have been identified in these products, with CVSS v4 scores ranging from 7.7 to 8.7, denoting an exceptionally high severity level.
- The lack of adequate information publicity could potentially allow remote attackers to gain access to sensitive data and compromise system security. The vulnerability affects the QNAP AI Core model 3.4.x and has been rectified in subsequent versions, specifically 3.4.1 and onwards.
- A vulnerability that permits distant unauthorized attackers to navigate through the file system, potentially allowing them to access or alter sensitive data? The vulnerability impacts QuLog Heart versions 1.7.x and 1.8.x, specifically affecting variants 1.7.0.831 and 1.8.0.888.
- Improper handling of externally managed format strings can potentially allow attackers to access sensitive information or alter memory. Two critical vulnerabilities, CVE-2024-50396 and CVE-2024-50397, have been identified, with the first capable of being exploited remotely to compromise a target’s system memory, while the latter necessitates user-level access for an attacker to potentially gain unauthorized control. All previously identified vulnerabilities have been thoroughly addressed in both the QTS 5.2.1.2930 and QuTS Hero H5.2.1.2929 updates, ensuring a heightened level of security for users.
QNAP clients are highly recommended to install updates at their earliest convenience to ensure timely protection against potential attacks.
QNAP devices should never be directly connected to the internet and instead are typically deployed behind a virtual private network (VPN) to prevent remote exploitation of vulnerabilities.
