QNAP high-severity vulnerabilities in QTS and Qsync Central
Heads up. QNAP Systems has addressed a range of security issues in its products by releasing fixes for twenty-four vulnerabilities, including two critical ones that could lead to command execution.
These significant vulnerabilities, identified as CVE-2023-45025 and CVE-2023-39297, involve OS command injection weaknesses found in various versions of QTS, QuTS hero, and QuTScloud. Specifically, CVE-2023-45025 allows for command execution through the network under certain system settings, whereas CVE-2023-39297 necessitates user authentication for successful exploitation.
Further, QNAP has issued corrections for CVE-2023-47567 and CVE-2023-47568, both of which are remotely exploitable issues in QTS, QuTS hero, and QuTScloud that also require administrator authentication for exploitation. CVE-2023-47567 is another instance of an OS command injection flaw, and CVE-2023-47568 pertains to an SQL injection vulnerability.
The fixes for these four security issues were incorporated in updates to QTS, QuTS hero, and QuTScloud, specifically in versions 188.8.131.5296 build 20231128 and 184.108.40.20627 build 20231225 for QTS, versions h220.127.116.1196 build 20231128 and h18.104.22.16826 build 20231225 for QuTS hero, and version c22.214.171.12451 for QuTScloud.
Additionally, QNAP addressed a third critical flaw affecting Qsync Central versions 4.4.x and 4.3.x, which potentially permitted authenticated users to read or modify critical resources. This vulnerability, cataloged as CVE-2023-47564, resulted from improper permission settings for critical resources and was exploitable over a network. The resolution came with the rollout of Qsync Central versions 126.96.36.199 and 188.8.131.52.
QNAP also patched a series of medium-severity vulnerabilities. These issues presented various risks, including the potential for code execution, denial-of-service (DoS) attacks, command execution, bypassing restrictions, exposing sensitive information, and code injection, thereby reinforcing the importance of applying the latest security updates to mitigate these vulnerabilities.