Multiple QNAP Vulnerability Let Hackers Hijack Your NAS
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
QNAP has disclosed multiple vulnerabilities across its network-attached storage (NAS) systems, which could allow hackers to take control of affected devices.
The vulnerabilities impact several versions of QNAP’s operating systems and applications, including QTS, QuTS hero, QuTScloud, and myQNAPcloud.
CVE Details
CVE-2024-21899: Improper Authentication Vulnerability
This critical flaw could allow unauthorized users to compromise the system’s security via a network.
CVE-2024-21900: Command Injection Vulnerability
This vulnerability allows authenticated users to execute arbitrary commands on the system via a network.
This could enable attackers who have already gained initial access to escalate their privileges or perform unauthorized actions on the device.
CVE-2024-21901: SQL Injection Vulnerability
A particularly concerning issue for system administrators is that this SQL injection vulnerability could allow authenticated administrators to inject malicious SQL code into the system.
This could lead to data manipulation or theft, compromising the security and integrity of the data stored on the NAS.
CVE-2024-27124: OS Command Injection Vulnerability
This vulnerability is an OS command injection flaw that, if exploited, could allow attackers to execute arbitrary commands over a network.
Such a breach could lead to full system compromise, data theft, or network infiltration. QNAP has not yet released a patch for CVE-2024-27124.
CVE-2024-32764: Missing Authentication for Critical Function
CVE-2024-32764 is a severe security flaw from missing critical function authentication checks.
Attackers could exploit this vulnerability to gain unauthorized access to these functions via a network without needing to authenticate, potentially leading to unauthorized operations and system control.
QNAP is currently working on fixing this vulnerability.
Users should stay vigilant and update their NAS firmware when the security patch is released.
CVE-2024-32766: OS Command Injection Vulnerability
Similar to CVE-2024-27124, CVE-2024-32766 is another OS command injection vulnerability.
It allows attackers to execute commands via a network, which could result in unauthorized access and control over the affected NAS devices.
The company is in the process of developing a security patch.
Users are encouraged to watch official communications from QNAP for immediate updates.
📁🄳🄾🄲🅄🄼🄴🄽🅃
Affected Products and Fixed Versions
QNAP has promptly addressed these vulnerabilities in the following product versions:
QNAP urges all users to update their systems and applications to the latest versions to mitigate these vulnerabilities.
Regular updates are crucial for maintaining the security of your devices.
Updating Your QNAP Device
To update your QNAP device, follow these steps:
For updating myQNAPcloud:
The swift response by QNAP in fixing these vulnerabilities shows their commitment to user security.
However, this incident serves as a reminder of the constant vigilance required in the digital age, where the integrity and security of data are perpetually at risk.
Users are advised to adhere to recommended security practices and update their devices promptly to protect against potential threats.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Multiple QNAP Vulnerability Let Hackers Hijack Your NAS
Author: DhivyaQNAP has disclosed multiple vulnerabilities across its network-attached storage (NAS) systems, which could allow hackers to take control of affected devices.
The vulnerabilities impact several versions of QNAP’s operating systems and applications, including QTS, QuTS hero, QuTScloud, and myQNAPcloud.
CVE Details
CVE-2024-21899: Improper Authentication Vulnerability
This critical flaw could allow unauthorized users to compromise the system’s security via a network.
CVE-2024-21900: Command Injection Vulnerability
This vulnerability allows authenticated users to execute arbitrary commands on the system via a network.
This could enable attackers who have already gained initial access to escalate their privileges or perform unauthorized actions on the device.
CVE-2024-21901: SQL Injection Vulnerability
A particularly concerning issue for system administrators is that this SQL injection vulnerability could allow authenticated administrators to inject malicious SQL code into the system.
This could lead to data manipulation or theft, compromising the security and integrity of the data stored on the NAS.
CVE-2024-27124: OS Command Injection Vulnerability
This vulnerability is an OS command injection flaw that, if exploited, could allow attackers to execute arbitrary commands over a network.
Such a breach could lead to full system compromise, data theft, or network infiltration. QNAP has not yet released a patch for CVE-2024-27124.
CVE-2024-32764: Missing Authentication for Critical Function
CVE-2024-32764 is a severe security flaw from missing critical function authentication checks.
Attackers could exploit this vulnerability to gain unauthorized access to these functions via a network without needing to authenticate, potentially leading to unauthorized operations and system control.
QNAP is currently working on fixing this vulnerability.
Users should stay vigilant and update their NAS firmware when the security patch is released.
CVE-2024-32766: OS Command Injection Vulnerability
Similar to CVE-2024-27124, CVE-2024-32766 is another OS command injection vulnerability.
It allows attackers to execute commands via a network, which could result in unauthorized access and control over the affected NAS devices.
The company is in the process of developing a security patch.
Users are encouraged to watch official communications from QNAP for immediate updates.
📁🄳🄾🄲🅄🄼🄴🄽🅃
Affected Products and Fixed Versions
QNAP has promptly addressed these vulnerabilities in the following product versions:
- QTS 5.1.x : Fixed in QTS 5.1.3.2578 build 20231110 and later.
- QTS 4.5.x : Fixed in QTS 4.5.4.2627 build 20231225 and later.
- QuTS hero h5.1.x : Fixed in QuTS hero h5.1.3.2578 build 20231110 and later.
- QuTS hero h4.5.x : Fixed in QuTS hero h4.5.4.2626 build 20231225 and later.
- QuTScloud c5.x : Fixed in QuTScloud c5.1.5.2651 and later.
- myQNAPcloud 1.0.x : Fixed in myQNAPcloud 1.0.52 (2023/11/24) and later.
QNAP urges all users to update their systems and applications to the latest versions to mitigate these vulnerabilities.
Regular updates are crucial for maintaining the security of your devices.
Updating Your QNAP Device
To update your QNAP device, follow these steps:
- Log in as an Administrator : Access your QTS, QuTS hero, or QuTScloud system.
- Navigate to System Settings : Go to the Control Panel, then System, and select Firmware Update.
- Check for Updates : Under Live Update, click on ‘Check for Update’. The system will automatically download and install the latest available update.
For updating myQNAPcloud:
- Access App Center : Log in and open the App Center.
- Search for myQNAPcloud : Type “myQNAPcloud” in the search box and press ENTER.
- Update : Click on the Update button if available and follow the prompts.
The swift response by QNAP in fixing these vulnerabilities shows their commitment to user security.
However, this incident serves as a reminder of the constant vigilance required in the digital age, where the integrity and security of data are perpetually at risk.
Users are advised to adhere to recommended security practices and update their devices promptly to protect against potential threats.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
