QNAP Critical Vulne...
 
Notifications
Clear all

QNAP Critical Vulnerability allows remote access CVE-2024-21899 CVSS 9.8 Patch Now

1 Posts
1 Users
0 Likes
246 Views
Brandon Lee
(@brandon-lee)
Posts: 543
Member Admin
Topic starter
 

Wow, QNAP really needs to revisit their security audits in their code and QA scrutiny:

Over the weekend, QNAP Systems, a company based in Taiwan recognized for its network-attached storage (NAS) and network video recorder (NVR) products, alongside other networking solutions, disclosed updates to rectify several security vulnerabilities in its offerings. Among these, a particularly critical flaw, identified as CVE-2024-21899 with a Common Vulnerability Scoring System (CVSS) rating of 9.8, stands out for allowing unauthenticated access to devices due to improper authentication mechanisms. This vulnerability means that attackers could potentially bypass security protocols and gain unauthorized access to the system via a network.

The affected products include QNAP's QTS, QuTS hero, and QuTScloud software platforms, which are integral to the operation of their NAS devices. To mitigate this risk, QNAP has released updated software versions: QTS 5.1.3.2578 and 4.5.4.2627, QuTS hero h5.1.3.2578 and h4.5.4.2626, along with QuTScloud c5.1.5.2651 to address the vulnerability.

Additionally, QNAP's security bulletin highlighted two medium-severity vulnerabilities, cataloged as CVE-2024-21900 and CVE-2024-21901. These vulnerabilities could potentially enable authenticated users to execute commands or inject code over the network, with the latter requiring administrator-level access for exploitation. Patches for these issues have been integrated into the latest software builds for QTS, QuTS hero, QuTScloud, and myQNAPcloud.

Furthermore, QNAP also patched several other vulnerabilities of medium severity across its product line, including QuMagie Mobile, QTS, QuTS hero, QuTScloud, and Photo Station. These flaws could lead to various security risks such as code injection, command execution, and data leaks.

It's important to note that there was no indication from QNAP regarding the exploitation of these vulnerabilities in real-world attacks. For users and administrators of QNAP products, it's recommended to review the company's security advisories and promptly apply the necessary patches to ensure the security of their devices and data.

https://www.securityweek.com/critical-vulnerability-allows-access-to-qnap-nas-devices/

 
Posted : 11/03/2024 10:49 am