Multiple QNAP Vulnerabilities Let Remote Attackers To Compromise System

QNAP Systems, a leading provider of network-attached storage (NAS) solutions, has disclosed multiple critical vulnerabilities affecting its QTS and QuTS hero operating systems.

The security advisory, released on December 7, 2024, details eight vulnerabilities discovered during the Pwn2Own 2024 competition, potentially allowing remote attackers to compromise system security.

The vulnerabilities, identified as CVE-2024-48859, CVE-2024-48865, CVE-2024-48866, CVE-2024-48867, CVE-2024-48868, CVE-2024-50393, CVE-2024-50402, and CVE-2024-50403.

Besides this, all these above-mentioned vulnerabilities affected the QTS versions 5.1.x and 5.2.x, as well as QuTS hero versions h5.1.x and h5.2.x.

The most severe vulnerability, CVE-2024-48859, is an improper authentication flaw that could allow remote attackers to compromise system security.

However, researchers at QNAP noted another critical issue, which is “CVE-2024-48865,” that involves improper certificate validation, potentially enabling local network attackers to breach system security.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Vulnerabilities

  • CVE-2024-48859: Improper authentication flaw
  • CVE-2024-48865: It involves improper certificate validation
  • CVE-2024-48866: Improper handling of URL encoding, allowing remote attackers to cause unexpected system states
  • CVE-2024-48867 and CVE-2024-48868: CRLF injection vulnerabilities, enabling remote attackers to modify application data
  • CVE-2024-50393: A command injection vulnerability, permitting remote attackers to execute arbitrary commands
  • CVE-2024-50402 and CVE-2024-50403: Use of externally-controlled format string vulnerabilities, allowing attackers with administrator access to obtain secret data or modify memory

QNAP has addressed these vulnerabilities in the following versions:-

Affected ProductFixed Version
QTS 5.1.xQTS 5.1.9.2954 build 20241120 and later
QTS 5.2.xQTS 5.2.2.2950 build 20241114 and later
QuTS hero h5.1.xQuTS hero h5.1.9.2954 build 20241120 and later
QuTS hero h5.2.xQuTS hero h5.2.2.2952 build 20241116 and later

To mitigate these risks, QNAP strongly recommends users update their systems to the latest version.

Users can perform updates through the QTS or QuTS hero interface by logging in as an administrator, navigating to Control Panel > System > Firmware Update, and clicking “Check for Update” under Live Update.

This security advisory follows a series of vulnerability disclosures by QNAP in recent months. In November 2024, the company addressed multiple vulnerabilities in QTS and QuTS hero, including buffer overflow and NULL pointer dereference issues.

Earlier in April 2024, a critical vulnerability (CVE-2024-21899) was patched, which could have allowed network attackers to access QNAP NAS devices without authentication.

Given the potential impact of these vulnerabilities and the history of QNAP products being targeted by threat actors, users are urged to apply the updates promptly to ensure the security of their NAS devices and data.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.