QNAP is sounding the alarm on its NAS devices, saying they are vulnerable to flaws that could result in dangerous cyber-attacks.
The company has said that some of its QTS, QuTS hero, QuTScloud and myQNAPcloud products were vulnerable to three different flaws, one of which was particularly dangerous.
This flaw is tracked as CVE-2024-21899 and described as an improper authentication mechanism. Hackers can use this vulnerability, the company explains, to remotely compromise the security of the target system via the network. The other two vulnerabilities are tracked as CVE-2024-21900 and CVE-2024-21901. The former allows arbitrary command execution, while the latter allows malicious SQL code injection. The difference between these two and the first is that only the first can be exploited remotely, without the need for prior authentication.
Patch, or face the consequences
The QNAP operating system versions vulnerable to these flaws are QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and the myQNAPcloud 1.0.x service.
To defend against potential attackers, QNAP NAS users are advised to upgrade their instances to these versions:
QTS 5.1.3.2578 build 20231110 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.3.2578 build 20231110 and above
QuTS hero h4.5.4.2626 build 20231225 and above
QuTScloud c5.1.5.2651 and higher
myQNAPcloud 1.0.52 (24/11/2023) and higher
QNAP’s NAS devices are popular among SMBs, making them a prime target for cybercriminals. The Taiwanese manufacturer often discovers and patches very serious and critical vulnerabilities, and users are advised to monitor and apply the patch as soon as possible.
About a month ago, QNAP patched 24 vulnerabilities across its product range, including two very serious flaws that could allow command execution, and in late January QNAP patched a dangerous flaw affecting QTS 5.0.1 and QuTS hero h. 5.0.1.
Through BleepingComputer