QNAP Systems, a leading provider of network-attached storage (NAS) solutions, has disclosed multiple critical vulnerabilities affecting its QTS and QuTS hero operating systems.
The security advisory, released on December 7, 2024, details eight vulnerabilities discovered during the Pwn2Own 2024 competition, potentially allowing remote attackers to compromise system security.
The vulnerabilities, identified as CVE-2024-48859, CVE-2024-48865, CVE-2024-48866, CVE-2024-48867, CVE-2024-48868, CVE-2024-50393, CVE-2024-50402, and CVE-2024-50403.
Besides this, all these above-mentioned vulnerabilities affected the QTS versions 5.1.x and 5.2.x, as well as QuTS hero versions h5.1.x and h5.2.x.
The most severe vulnerability, CVE-2024-48859, is an improper authentication flaw that could allow remote attackers to compromise system security.
However, researchers at QNAP noted another critical issue, which is “CVE-2024-48865,” that involves improper certificate validation, potentially enabling local network attackers to breach system security.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Vulnerabilities
- CVE-2024-48859: Improper authentication flaw
- CVE-2024-48865: It involves improper certificate validation
- CVE-2024-48866: Improper handling of URL encoding, allowing remote attackers to cause unexpected system states
- CVE-2024-48867 and CVE-2024-48868: CRLF injection vulnerabilities, enabling remote attackers to modify application data
- CVE-2024-50393: A command injection vulnerability, permitting remote attackers to execute arbitrary commands
- CVE-2024-50402 and CVE-2024-50403: Use of externally-controlled format string vulnerabilities, allowing attackers with administrator access to obtain secret data or modify memory
QNAP has addressed these vulnerabilities in the following versions:-
Affected Product | Fixed Version |
---|---|
QTS 5.1.x | QTS 5.1.9.2954 build 20241120 and later |
QTS 5.2.x | QTS 5.2.2.2950 build 20241114 and later |
QuTS hero h5.1.x | QuTS hero h5.1.9.2954 build 20241120 and later |
QuTS hero h5.2.x | QuTS hero h5.2.2.2952 build 20241116 and later |
To mitigate these risks, QNAP strongly recommends users update their systems to the latest version.
Users can perform updates through the QTS or QuTS hero interface by logging in as an administrator, navigating to Control Panel > System > Firmware Update, and clicking “Check for Update” under Live Update.
This security advisory follows a series of vulnerability disclosures by QNAP in recent months. In November 2024, the company addressed multiple vulnerabilities in QTS and QuTS hero, including buffer overflow and NULL pointer dereference issues.
Earlier in April 2024, a critical vulnerability (CVE-2024-21899) was patched, which could have allowed network attackers to access QNAP NAS devices without authentication.
Given the potential impact of these vulnerabilities and the history of QNAP products being targeted by threat actors, users are urged to apply the updates promptly to ensure the security of their NAS devices and data.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses