QNAP high-severity ...
Clear all

QNAP high-severity vulnerabilities in QTS and Qsync Central

1 Posts
1 Users
0 Reactions
Brandon Lee
Posts: 554
Member Admin
Topic starter

Heads up. QNAP Systems has addressed a range of security issues in its products by releasing fixes for twenty-four vulnerabilities, including two critical ones that could lead to command execution.

These significant vulnerabilities, identified as CVE-2023-45025 and CVE-2023-39297, involve OS command injection weaknesses found in various versions of QTS, QuTS hero, and QuTScloud. Specifically, CVE-2023-45025 allows for command execution through the network under certain system settings, whereas CVE-2023-39297 necessitates user authentication for successful exploitation.

Further, QNAP has issued corrections for CVE-2023-47567 and CVE-2023-47568, both of which are remotely exploitable issues in QTS, QuTS hero, and QuTScloud that also require administrator authentication for exploitation. CVE-2023-47567 is another instance of an OS command injection flaw, and CVE-2023-47568 pertains to an SQL injection vulnerability.

The fixes for these four security issues were incorporated in updates to QTS, QuTS hero, and QuTScloud, specifically in versions build 20231128 and build 20231225 for QTS, versions h5.1.4.2596 build 20231128 and h4.5.4.2626 build 20231225 for QuTS hero, and version c5.1.5.2651 for QuTScloud.

Additionally, QNAP addressed a third critical flaw affecting Qsync Central versions 4.4.x and 4.3.x, which potentially permitted authenticated users to read or modify critical resources. This vulnerability, cataloged as CVE-2023-47564, resulted from improper permission settings for critical resources and was exploitable over a network. The resolution came with the rollout of Qsync Central versions and

QNAP also patched a series of medium-severity vulnerabilities. These issues presented various risks, including the potential for code execution, denial-of-service (DoS) attacks, command execution, bypassing restrictions, exposing sensitive information, and code injection, thereby reinforcing the importance of applying the latest security updates to mitigate these vulnerabilities.



Posted : 05/02/2024 10:00 am