QNAP has launched safety bulletins over the weekend, which handle a number of vulnerabilities, together with three crucial severity flaws that customers ought to handle as quickly as doable.
Beginning with QNAP Notes Station 3, a note-taking and collaboration utility used within the agency’s NAS methods, the next two vulnerabilities affect it:
- CVE-2024-38643 – Lacking authentication for crucial features may enable distant attackers to achieve unauthorized entry and execute particular system features. The shortage of correct authentication mechanisms makes it doable for attackers to take advantage of this flaw with out prior credentials, resulting in potential system compromise. (CVSS v4 rating: 9.3, “crucial”)
- CVE-2024-38645 – Server-side request forgery (SSRF) vulnerability that might allow distant attackers with authentication credentials to ship crafted requests that manipulate server-side habits, doubtlessly exposing delicate utility information.
QNAP has resolved these points in Notes Station 3 model 3.9.7 and recommends customers replace to this model or later to mitigate the chance. Directions on updating are obtainable on this bulletin.
The opposite two points listed in the identical bulletin, CVE-2024-38644 and CVE-2024-38646, are high-severity (CVSS v4 rating: 8.7, 8.4) command injection and unauthorized information entry issues that require user-level entry to take advantage of.
QuRouter flaws
The third crucial flaw QNAP addressed on Saturday is CVE-2024-48860, impacting QuRouter 2.4.x merchandise, QNAP’s line of high-speed, safe routers.
The flaw, rated 9.5 “crucial” in line with CVSS v4, is an OS command injection flaw that might enable distant attackers to execute instructions on the host system.
QNAP additionally fastened a second, much less extreme command injection downside tracked as CVE-2024-48861, with each points addressed in QuRouter model 2.4.3.106.
Different QNAP fixes
Different merchandise that obtained necessary fixes this weekend are QNAP AI Core (AI engine), QuLog Heart (log administration device), QTS (normal OS for NAS units), and QuTS Hero (superior model of QTS).
This is a abstract of a very powerful flaws that have been fastened in these merchandise, with a CVSS v4 ranking between 7.7 and eight.7 (excessive).
- CVE-2024-38647: Data publicity downside that might enable distant attackers to achieve entry to delicate information and compromise system safety. The flaw impacts QNAP AI Core model 3.4.x and has been resolved in model 3.4.1 and later.
- CVE-2024-48862: Hyperlink-following flaw that might enable distant unauthorized attackers to traverse the file system and entry or modify information. It impacts QuLog Heart variations 1.7.x and 1.8.x, and was fastened in variations 1.7.0.831 and 1.8.0.888.
- CVE-2024-50396 and CVE-2024-50397: Improper dealing with of externally managed format strings, which may enable attackers to entry delicate information or modify reminiscence. CVE-2024-50396 may be exploited remotely to control system reminiscence, whereas CVE-2024-50397 requires user-level entry. Each vulnerabilities have been resolved in QTS 5.2.1.2930 and QuTS hero h5.2.1.2929.
QNAP clients are strongly suggested to put in the updates as quickly as doable to stay protected towards potential assaults.
As at all times, QNAP units ought to by no means be related on to the Web and may as a substitute be deployed behind a VPN to forestall distant exploitation of flaws.
