QNAP NAS Multiple Vulnerabilities

Details

Multiple vulnerabilities were identified in QNAP NAS. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, remote code execution, security restriction bypass and cross-site scripting on the targeted system.

Impact

• Remote Code Execution
• Denial of Service
• Cross-Site Scripting
• Security Restriction Bypass

System / Technologies affected

• myQNAPcloud version prior to 1.0.52 (2023/11/24)
• QTS version prior to 4.5.4.2627 build 20231225
• QTS version prior to 5.1.3.2578 build 20231110
• QTS version prior to  5.1.4.2596 build 20231128
• QuTS hero version prior to h4.5.4.2626 build 20231225
• QuTS hero version prior to h5.1.3.2578 build 20231110
• QuTS hero version prior to h5.1.4.2596 build 20231128
• QuTScloud version prior to c5.1.0.2498 build 20230822
• QuTScloud version prior to c5.1.5.2651

Solutions

Before installation of the software, please visit the software vendor web-site for more details.
Apply fixes issued by the vendor:

• https://www.qnap.com/en/security-advisory/qsa-24-11
• https://www.qnap.com/en/security-advisory/qsa-24-09
• https://www.qnap.com/en/security-advisory/qsa-24-12

Vulnerability Identifier

• CVE-2023-32969
• CVE-2023-34975
• CVE-2023-34980
• CVE-2024-21899
• CVE-2024-21900
• CVE-2024-21901

Reference

• https://www.qnap.com/en/security-advisory/qsa-24-11
• https://www.qnap.com/en/security-advisory/qsa-24-09
• https://www.qnap.com/en/security-advisory/qsa-24-12
• https://www.hkcert.org/security-bulletin/qnap-nas-multiple-vulnerabilities_20240311