Jump to content
  • QNAP addresses critical flaws across NAS, router software

    Karlston

    • 206 views
    • 3 minutes
     Share


    • 206 views
    • 3 minutes

    QNAP has released security bulletins over the weekend, which address multiple vulnerabilities, including three critical severity flaws that users should address as soon as possible.

     

    Starting with QNAP Notes Station 3, a note-taking and collaboration application used in the firm's NAS systems, the following two vulnerabilities impact it:

     

    • CVE-2024-38643 – Missing authentication for critical functions could allow remote attackers to gain unauthorized access and execute specific system functions. The lack of proper authentication mechanisms makes it possible for attackers to exploit this flaw without prior credentials, leading to potential system compromise. (CVSS v4 score: 9.3, "critical")
    • CVE-2024-38645 – Server-side request forgery (SSRF) vulnerability that could enable remote attackers with authentication credentials to send crafted requests that manipulate server-side behavior, potentially exposing sensitive application data.

     

    QNAP has resolved these issues in Notes Station 3 version 3.9.7 and recommends users update to this version or later to mitigate the risk. Instructions on updating are available in this bulletin.

     

    The other two issues listed in the same bulletin, CVE-2024-38644 and CVE-2024-38646, are high-severity (CVSS v4 score: 8.7, 8.4) command injection and unauthorized data access problems that require user-level access to exploit.

    QuRouter flaws

    The third critical flaw QNAP addressed on Saturday is CVE-2024-48860, impacting QuRouter 2.4.x products, QNAP's line of high-speed, secure routers.

     

    The flaw, rated 9.5 "critical" according to CVSS v4, is an OS command injection flaw that could allow remote attackers to execute commands on the host system.

     

    QNAP also fixed a second, less severe command injection problem tracked as CVE-2024-48861, with both issues addressed in QuRouter version 2.4.3.106.

    Other QNAP fixes

    Other products that received important fixes this weekend are QNAP AI Core (AI engine), QuLog Center (log management tool), QTS (standard OS for NAS devices), and QuTS Hero (advanced version of QTS).

     

    Here's a summary of the most important flaws that were fixed in those products, with a CVSS v4 rating between 7.7 and 8.7 (high).

     

    • CVE-2024-38647: Information exposure problem that could allow remote attackers to gain access to sensitive data and compromise system security. The flaw affects QNAP AI Core version 3.4.x and has been resolved in version 3.4.1 and later.
    • CVE-2024-48862: Link-following flaw that could allow remote unauthorized attackers to traverse the file system and access or modify files. It impacts QuLog Center versions 1.7.x and 1.8.x, and was fixed in versions 1.7.0.831 and 1.8.0.888.
    • CVE-2024-50396 and CVE-2024-50397: Improper handling of externally controlled format strings, which could allow attackers to access sensitive data or modify memory. CVE-2024-50396 can be exploited remotely to manipulate system memory, while CVE-2024-50397 requires user-level access. Both vulnerabilities have been resolved in QTS 5.2.1.2930 and QuTS hero h5.2.1.2929.

     

    QNAP customers are strongly advised to install the updates as soon as possible to remain protected against potential attacks.

     

    As always, QNAP devices should never be connected directly to the Internet and should instead be deployed behind a VPN to prevent remote exploitation of flaws.

     

    Source


    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

    RIP Matrix | Farewell my friend  :sadbye:


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...