QNAP critical auth ...
Clear all

QNAP critical auth bypass flaw in its NAS - patch now

1 Posts
1 Users
Brandon Lee
Posts: 543
Member Admin
Topic starter

QNAP, a prominent Taiwanese manufacturer of Network Attached Storage (NAS) devices, has issued a warning regarding vulnerabilities in its software offerings, including QTS, QuTS hero, QuTScloud, and myQNAPcloud. These vulnerabilities could potentially allow unauthorized access to the devices.

Three specific vulnerabilities were disclosed by QNAP, encompassing risks of authentication bypass, command injection, and SQL injection. Notably, while the command injection and SQL injection vulnerabilities necessitate attacker authentication on the system, thereby reducing the risk, the authentication bypass vulnerability (CVE-2024-21899) poses a significant threat as it can be exploited remotely without any authentication and is considered to have low complexity.

The impacted software versions are detailed across QNAP's operating system range, including QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and the myQNAPcloud 1.0.x service. QNAP advises users to update their systems to the latest versions specified to mitigate these vulnerabilities:

  • For QTS and QuTS hero: Upgrade to QTS build 20231110 or later, QTS build 20231225 or later, QuTS hero h5.1.3.2578 build 20231110 or later, and QuTS hero h4.5.4.2626 build 20231225 or later.
  • For QuTScloud: Update to version c5.1.5.2651 or later.
  • For myQNAPcloud: Ensure software is updated to version 1.0.52 (dated 2023/11/24) or later.

To execute these updates, administrators are directed to use the device's interface, either through the 'Control Panel > System > Firmware Update' section for QTS, QuTS hero, and QuTScloud, or via the 'App Center' for myQNAPcloud, and follow the prompts for the automatic installation process.

The analyst might emphasize the importance of these updates given the vital role NAS devices play in storing significant amounts of valuable data, ranging from sensitive personal information to intellectual property and crucial business data. The combination of high-value data storage, continuous internet connection, and the potential use of outdated software makes NAS devices a prime target for cybercriminals.

Notable ransomware groups such as DeadBolt, Checkmate, and Qlocker, which have previously targeted QNAP devices, exploit vulnerabilities, including zero-day exploits, to conduct their attacks, underscoring the critical need for timely software updates and the recommendation against exposing NAS devices directly to the internet.


Posted : 08/03/2024 3:52 pm