Multiple QNAP Vulnerabilities Let Remote Attackers To Compromise The System Remotely
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
QNAP Systems, a leading provider of network-attached storage (NAS) solutions, has disclosed multiple critical vulnerabilities affecting its QTS and QuTS hero operating systems.
The security advisory, released on December 7, 2024, details eight vulnerabilities discovered during the Pwn2Own 2024 competition, potentially allowing remote attackers to compromise system security.
The vulnerabilities, identified as CVE-2024-48859, CVE-2024-48865, CVE-2024-48866, CVE-2024-48867, CVE-2024-48868, CVE-2024-50393, CVE-2024-50402, and CVE-2024-50403.
Besides this, all these above-mentioned vulnerabilities affected the QTS versions 5.1.x and 5.2.x, as well as QuTS hero versions h5.1.x and h5.2.x.
The most severe vulnerability, CVE-2024-48859, is an improper authentication flaw that could allow remote attackers to compromise system security.
However, researchers at QNAP noted another critical issue, which is “CVE-2024-48865,” that involves improper certificate validation, potentially enabling local network attackers to breach system security.
Vulnerabilities
QNAP has addressed these vulnerabilities in the following versions:-
Affected ProductFixed VersionQTS 5.1.xQTS 5.1.9.2954 build 20241120 and laterQTS 5.2.xQTS 5.2.2.2950 build 20241114 and laterQuTS hero h5.1.xQuTS hero h5.1.9.2954 build 20241120 and laterQuTS hero h5.2.xQuTS hero h5.2.2.2952 build 20241116 and later
To mitigate these risks, QNAP strongly recommends users update their systems to the latest version.
Users can perform updates through the QTS or QuTS hero interface by logging in as an administrator, navigating to Control Panel > System > Firmware Update, and clicking “Check for Update” under Live Update.
This security advisory follows a series of vulnerability disclosures by QNAP in recent months. In November 2024, the company addressed multiple vulnerabilities in QTS and QuTS hero, including buffer overflow and NULL pointer dereference issues.
Earlier in April 2024, a critical vulnerability (CVE-2024-21899) was patched, which could have allowed network attackers to access QNAP NAS devices without authentication.
Given the potential impact of these vulnerabilities and the history of QNAP products being targeted by threat actors, users are urged to apply the updates promptly to ensure the security of their NAS devices and data.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Multiple QNAP Vulnerabilities Let Remote Attackers To Compromise The System Remotely
Author: Tushar Subhra DuttaQNAP Systems, a leading provider of network-attached storage (NAS) solutions, has disclosed multiple critical vulnerabilities affecting its QTS and QuTS hero operating systems.
The security advisory, released on December 7, 2024, details eight vulnerabilities discovered during the Pwn2Own 2024 competition, potentially allowing remote attackers to compromise system security.
The vulnerabilities, identified as CVE-2024-48859, CVE-2024-48865, CVE-2024-48866, CVE-2024-48867, CVE-2024-48868, CVE-2024-50393, CVE-2024-50402, and CVE-2024-50403.
Besides this, all these above-mentioned vulnerabilities affected the QTS versions 5.1.x and 5.2.x, as well as QuTS hero versions h5.1.x and h5.2.x.
The most severe vulnerability, CVE-2024-48859, is an improper authentication flaw that could allow remote attackers to compromise system security.
However, researchers at QNAP noted another critical issue, which is “CVE-2024-48865,” that involves improper certificate validation, potentially enabling local network attackers to breach system security.
Vulnerabilities
- CVE-2024-48859: Improper authentication flaw
- CVE-2024-48865: It involves improper certificate validation
- CVE-2024-48866: Improper handling of URL encoding, allowing remote attackers to cause unexpected system states
- CVE-2024-48867 and CVE-2024-48868: CRLF injection vulnerabilities, enabling remote attackers to modify application data
- CVE-2024-50393: A command injection vulnerability, permitting remote attackers to execute arbitrary commands
- CVE-2024-50402 and CVE-2024-50403: Use of externally-controlled format string vulnerabilities, allowing attackers with administrator access to obtain secret data or modify memory
QNAP has addressed these vulnerabilities in the following versions:-
Affected ProductFixed VersionQTS 5.1.xQTS 5.1.9.2954 build 20241120 and laterQTS 5.2.xQTS 5.2.2.2950 build 20241114 and laterQuTS hero h5.1.xQuTS hero h5.1.9.2954 build 20241120 and laterQuTS hero h5.2.xQuTS hero h5.2.2.2952 build 20241116 and later
To mitigate these risks, QNAP strongly recommends users update their systems to the latest version.
Users can perform updates through the QTS or QuTS hero interface by logging in as an administrator, navigating to Control Panel > System > Firmware Update, and clicking “Check for Update” under Live Update.
This security advisory follows a series of vulnerability disclosures by QNAP in recent months. In November 2024, the company addressed multiple vulnerabilities in QTS and QuTS hero, including buffer overflow and NULL pointer dereference issues.
Earlier in April 2024, a critical vulnerability (CVE-2024-21899) was patched, which could have allowed network attackers to access QNAP NAS devices without authentication.
Given the potential impact of these vulnerabilities and the history of QNAP products being targeted by threat actors, users are urged to apply the updates promptly to ensure the security of their NAS devices and data.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
