QNAP has fixed two vulnerabilities in its QTS and QuTS hero operating systems, including a high-severity command-injection bug that could allow an attacker to execute arbitrary code on a vulnerable device.
The vulnerability exists in several versions of the operating systems, which run on various QNAP network-attached storage devices, including many enterprise-grade appliances. Stephen Fewer, a principal security researcher at Rapid7, discovered the bug (CVE-2024-47218) and disclosed it to QNAP, which has released updated firmware for the affected devices.
The flaw affects version 5.1.x of both QTS and QuTS hero.
“QTS is a core part of the firmware for numerous QNAP entry- and mid-level Network Attached Storage (NAS) devices, and QuTS hero is a core part of the firmware for numerous QNAP high-end and enterprise NAS devices. The vulnerable endpoint is the quick.cgi component, exposed by the device’s web based administration feature,” the Rapid7 advisory says.
“The quick.cgi component is present in an uninitialized QNAP NAS device. This component is intended to be used during either manual or cloud based provisioning of a QNAP NAS device.”
As part of the research into the vulnerability, Fewer was able to develop a proof-of-concept exploit, which is included in the advisory.
The second bug fixed in the new versions of the firmware is also a command-injection vulnerability, rated as a medium risk.