QNAP Patches Critical Vulnerabilities in QTS and QuTS Hero Systems
2024-12-10
Learn about the critical importance of timely patch management to protect against high-severity vulnerabilities in widely-used storage solutions.
QNAP has issued patches for several high-severity vulnerabilities in its QTS and QuTS Hero systems, including a command injection flaw and a CRLF injection bug, both with significant security risks. The updates, available in specific software builds, also address an improper certificate validation vulnerability and other medium to low-severity flaws. Additionally, a high-severity issue in License Center and a medium-severity flaw in Qsync Central have been patched. While there is no indication of these vulnerabilities being exploited in the wild, users are advised to update their systems promptly to prevent potential attacks.
Patch Management, Web App/Website Vulnerability, Other: Injection
QNAP, Vulnerabilities, Patches, QTS, QuTS Hero, Command Injection, CRLF Injection
CVE-2024-50393; CVE-2024-48868; CVE-2024-48865; CVE-2024-48863
QNAP, QTS, QuTS Hero, License Center, Qsync Central
QNAP, a leading provider of network-attached storage (NAS) solutions, has released important patches to address several high-severity security vulnerabilities in its systems. These vulnerabilities were identified in their QTS and QuTS Hero operating systems, which are integral to QNAP's storage, networking, and smart video solutions. The most critical vulnerability, identified as CVE-2024-50393, is a command injection flaw with a high Common Vulnerability Scoring System (CVSS) score of 8.7. This vulnerability could allow remote attackers to execute arbitrary commands on vulnerable devices, posing a significant security threat. Another severe vulnerability, CVE-2024-48868, also carries a CVSS score of 8.7. This issue involves a Carriage Return and Line Feed (CRLF) injection, which can be used to alter application data. CRLF injection occurs when special characters, typically used as End of Line markers in HTTP headers, are improperly handled. QNAP's updates also address CVE-2024-48865, an improper certificate validation vulnerability with a CVSS score of 7.3. This flaw could potentially allow attackers within a local network to undermine system security. In addition to these high-severity issues, QNAP's latest patches also resolve medium and low-severity vulnerabilities. These include improper authentication and CRLF injection flaws, as well as Hex encoding and externally-controlled format string defects. A high-severity vulnerability in QNAP's License Center, tracked as CVE-2024-48863 with a CVSS score of 7.7, has also been patched. This flaw could permit remote attackers to execute arbitrary commands, similar to the command injection vulnerability in QTS and QuTS Hero. Furthermore, QNAP has updated Qsync Central to version 4.4.0.16, addressing a medium-severity flaw that could allow users with access to traverse the file system beyond intended locations. While QNAP has not reported any of these vulnerabilities being actively exploited in the wild, the history of attacks on vulnerable QNAP devices underscores the importance of updating systems promptly. Users are strongly advised to apply these updates to safeguard their devices against potential threats.QNAP Releases Critical Patches for Vulnerabilities
Key Vulnerabilities Addressed
Additional Security Updates
Urgent Need for Updates
https://www.securityweek.com/qnap-patches-vulnerabilities-exploited-at-pwn2own/