QNAP has launched safety bulletins over the weekend, which deal with a number of vulnerabilities, together with three essential severity flaws that customers ought to deal with as quickly as potential.
Beginning with QNAP Notes Station 3, a note-taking and collaboration utility used within the agency’s NAS techniques, the next two vulnerabilities impression it:
- CVE-2024-38643 – Lacking authentication for essential features may enable distant attackers to realize unauthorized entry and execute particular system features. The dearth of correct authentication mechanisms makes it potential for attackers to use this flaw with out prior credentials, resulting in potential system compromise. (CVSS v4 rating: 9.3, “essential”)
- CVE-2024-38645 – Server-side request forgery (SSRF) vulnerability that would allow distant attackers with authentication credentials to ship crafted requests that manipulate server-side conduct, doubtlessly exposing delicate utility knowledge.
QNAP has resolved these points in Notes Station 3 model 3.9.7 and recommends customers replace to this model or later to mitigate the chance. Directions on updating are obtainable on this bulletin.
The opposite two points listed in the identical bulletin, CVE-2024-38644 and CVE-2024-38646, are high-severity (CVSS v4 rating: 8.7, 8.4) command injection and unauthorized knowledge entry issues that require user-level entry to use.
QuRouter flaws
The third essential flaw QNAP addressed on Saturday is CVE-2024-48860, impacting QuRouter 2.4.x merchandise, QNAP’s line of high-speed, safe routers.
The flaw, rated 9.5 “essential” in response to CVSS v4, is an OS command injection flaw that would enable distant attackers to execute instructions on the host system.
QNAP additionally fastened a second, much less extreme command injection downside tracked as CVE-2024-48861, with each points addressed in QuRouter model 2.4.3.106.
Different QNAP fixes
Different merchandise that acquired essential fixes this weekend are QNAP AI Core (AI engine), QuLog Heart (log administration device), QTS (customary OS for NAS units), and QuTS Hero (superior model of QTS).
Here is a abstract of crucial flaws that have been fastened in these merchandise, with a CVSS v4 score between 7.7 and eight.7 (excessive).
- CVE-2024-38647: Info publicity downside that would enable distant attackers to realize entry to delicate knowledge and compromise system safety. The flaw impacts QNAP AI Core model 3.4.x and has been resolved in model 3.4.1 and later.
- CVE-2024-48862: Hyperlink-following flaw that would enable distant unauthorized attackers to traverse the file system and entry or modify recordsdata. It impacts QuLog Heart variations 1.7.x and 1.8.x, and was fastened in variations 1.7.0.831 and 1.8.0.888.
- CVE-2024-50396 and CVE-2024-50397: Improper dealing with of externally managed format strings, which may enable attackers to entry delicate knowledge or modify reminiscence. CVE-2024-50396 could be exploited remotely to control system reminiscence, whereas CVE-2024-50397 requires user-level entry. Each vulnerabilities have been resolved in QTS 5.2.1.2930 and QuTS hero h5.2.1.2929.
QNAP clients are strongly suggested to put in the updates as quickly as potential to stay protected towards potential assaults.
As all the time, QNAP units ought to by no means be linked on to the Web and may as an alternative be deployed behind a VPN to forestall distant exploitation of flaws.