QNAP has launched safety bulletins over the weekend, which handle a number of vulnerabilities, together with three crucial severity flaws that customers ought to handle as quickly as attainable.
Beginning with QNAP Notes Station 3, a note-taking and collaboration utility used within the agency’s NAS techniques, the next two vulnerabilities impression it:
- CVE-2024-38643 – Lacking authentication for crucial features might permit distant attackers to realize unauthorized entry and execute particular system features. The dearth of correct authentication mechanisms makes it attainable for attackers to use this flaw with out prior credentials, resulting in potential system compromise. (CVSS v4 rating: 9.3, “crucial”)
- CVE-2024-38645 – Server-side request forgery (SSRF) vulnerability that would allow distant attackers with authentication credentials to ship crafted requests that manipulate server-side habits, doubtlessly exposing delicate utility knowledge.
QNAP has resolved these points in Notes Station 3 model 3.9.7 and recommends customers replace to this model or later to mitigate the danger. Directions on updating are obtainable on this bulletin.
The opposite two points listed in the identical bulletin, CVE-2024-38644 and CVE-2024-38646, are high-severity (CVSS v4 rating: 8.7, 8.4) command injection and unauthorized knowledge entry issues that require user-level entry to use.
QuRouter flaws
The third crucial flaw QNAP addressed on Saturday is CVE-2024-48860, impacting QuRouter 2.4.x merchandise, QNAP’s line of high-speed, safe routers.
The flaw, rated 9.5 “crucial” based on CVSS v4, is an OS command injection flaw that would permit distant attackers to execute instructions on the host system.
QNAP additionally fastened a second, much less extreme command injection downside tracked as CVE-2024-48861, with each points addressed in QuRouter model 2.4.3.106.
Different QNAP fixes
Different merchandise that acquired necessary fixes this weekend are QNAP AI Core (AI engine), QuLog Heart (log administration instrument), QTS (normal OS for NAS gadgets), and QuTS Hero (superior model of QTS).
Here is a abstract of crucial flaws that have been fastened in these merchandise, with a CVSS v4 score between 7.7 and eight.7 (excessive).
- CVE-2024-38647: Info publicity downside that would permit distant attackers to realize entry to delicate knowledge and compromise system safety. The flaw impacts QNAP AI Core model 3.4.x and has been resolved in model 3.4.1 and later.
- CVE-2024-48862: Hyperlink-following flaw that would permit distant unauthorized attackers to traverse the file system and entry or modify information. It impacts QuLog Heart variations 1.7.x and 1.8.x, and was fastened in variations 1.7.0.831 and 1.8.0.888.
- CVE-2024-50396 and CVE-2024-50397: Improper dealing with of externally managed format strings, which might permit attackers to entry delicate knowledge or modify reminiscence. CVE-2024-50396 might be exploited remotely to control system reminiscence, whereas CVE-2024-50397 requires user-level entry. Each vulnerabilities have been resolved in QTS 5.2.1.2930 and QuTS hero h5.2.1.2929.
QNAP clients are strongly suggested to put in the updates as quickly as attainable to stay protected towards potential assaults.
As all the time, QNAP gadgets ought to by no means be related on to the Web and will as an alternative be deployed behind a VPN to stop distant exploitation of flaws.