QNAP Systems, which makes network-attached storage (NAS) appliances used for file sharing and storage management, has issued a critical advisory fixing three vulnerabilities in several products used for its NAS devices.
The most severe flaw in the security advisory is an improper authentication bug (CVE-2024-21899) allowing users to compromise the security of the system via a network. Further details about this flaw are not available, but according to NIST's National Vulnerability Database it has a CVSS score of 9.8. QNAP also fixed an injection flaw (CVE-2024-21900) enabling authenticated users to execute commands via a network; and a SQL injection vulnerability (CVE-2024-21901) allowing authenticated administrators to inject malicious code via a network.
“To secure your device, we recommend regularly updating your system and applications to the latest version to benefit from vulnerability fixes,” according to the Taiwanese company’s security advisory on Saturday.
The flaws exist in QNAP’s QTS and QuTS hero operating systems, as well as QuTScloud, which is what QNAP describes as a "cloud-optimized version of the QNAP NAS operating system," and myQNAPcloud, QNAP's service allowing users to access their QNAP device remotely via the Internet.
Fixes are available in the latest versions of these products, including QTS 5.1.3.2578 build 20231110 and later; QTS 4.5.4.2627 build 20231225 and later; QuTS hero h5.1.3.2578 build 20231110 and later; QuTS hero h4.5.4.2626 build 20231225 and later; QuTScloud c5.1.5.2651 and later and myQNAPcloud 1.0.52 (2023/11/24) and later. Administrators are urged to log into QTS, QuTS hero or QuTScloud and check for updates via the Control Panel (or App Center for myQNAPcloud).
QNAP has previously disclosed various security issues with its QTS and QuTS hero operating systems. A month ago, for instance, the company fixed a high-severity command-injection bug that could allow an attacker to execute arbitrary code on a vulnerable device.
These operating systems are used to power the company’s NAS devices. NAS appliances are both complex systems and also serve as a centralized storage location for valuable data, making them major targets for attackers. Two years ago, for instance, QNAP warned that threat actors were exploiting known flaws in older versions of its software on the devices to install the Deadbolt ransomware.