Multiple QNAP Vulnerability Let Hackers Hijack Your NAS

QNAP has disclosed multiple vulnerabilities across its network-attached storage (NAS) systems, which could allow hackers to take control of affected devices.

The vulnerabilities impact several versions of QNAP’s operating systems and applications, including QTS, QuTS hero, QuTScloud, and myQNAPcloud.

CVE Details

CVE-2024-21899: Improper Authentication Vulnerability

This critical flaw could allow unauthorized users to compromise the system’s security via a network.

By exploiting this vulnerability, attackers could bypass authentication mechanisms to gain unauthorized access to the device.

CVE-2024-21900: Command Injection Vulnerability

This vulnerability allows authenticated users to execute arbitrary commands on the system via a network.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

This could enable attackers who have already gained initial access to escalate their privileges or perform unauthorized actions on the device.

CVE-2024-21901: SQL Injection Vulnerability

A particularly concerning issue for system administrators is that this SQL injection vulnerability could allow authenticated administrators to inject malicious SQL code into the system.

This could lead to data manipulation or theft, compromising the security and integrity of the data stored on the NAS.

CVE-2024-27124: OS Command Injection Vulnerability

This vulnerability is an OS command injection flaw that, if exploited, could allow attackers to execute arbitrary commands over a network.

Such a breach could lead to full system compromise, data theft, or network infiltration. QNAP has not yet released a patch for CVE-2024-27124. 

CVE-2024-32764: Missing Authentication for Critical Function

CVE-2024-32764 is a severe security flaw from missing critical function authentication checks.

Attackers could exploit this vulnerability to gain unauthorized access to these functions via a network without needing to authenticate, potentially leading to unauthorized operations and system control.

QNAP is currently working on fixing this vulnerability.

Users should stay vigilant and update their NAS firmware when the security patch is released.

CVE-2024-32766: OS Command Injection Vulnerability

Similar to CVE-2024-27124, CVE-2024-32766 is another OS command injection vulnerability.

It allows attackers to execute commands via a network, which could result in unauthorized access and control over the affected NAS devices.

The company is in the process of developing a security patch.

Users are encouraged to watch official communications from QNAP for immediate updates.

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

• Real-time Detection
• Interactive Malware Analysis
• Easy to Learn by New Security Team members
• Get detailed reports with maximum data
• Set Up Virtual Machine in Linux & all Windows OS Versions
• Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Try ANY.RUN for FREE

Affected Products and Fixed Versions

QNAP has promptly addressed these vulnerabilities in the following product versions:

• QTS 5.1.x: Fixed in QTS 5.1.3.2578 build 20231110 and later.
• QTS 4.5.x: Fixed in QTS 4.5.4.2627 build 20231225 and later.
• QuTS hero h5.1.x: Fixed in QuTS hero h5.1.3.2578 build 20231110 and later.
• QuTS hero h4.5.x: Fixed in QuTS hero h4.5.4.2626 build 20231225 and later.
• QuTScloud c5.x: Fixed in QuTScloud c5.1.5.2651 and later.
• myQNAPcloud 1.0.x: Fixed in myQNAPcloud 1.0.52 (2023/11/24) and later.

QNAP urges all users to update their systems and applications to the latest versions to mitigate these vulnerabilities.

Regular updates are crucial for maintaining the security of your devices.

Updating Your QNAP Device

To update your QNAP device, follow these steps:

1. Log in as an Administrator: Access your QTS, QuTS hero, or QuTScloud system.
2. Navigate to System Settings: Go to the Control Panel, then System, and select Firmware Update.
3. Check for Updates: Under Live Update, click on ‘Check for Update’. The system will automatically download and install the latest available update.

For updating myQNAPcloud:

1. Access App Center: Log in and open the App Center.
2. Search for myQNAPcloud: Type “myQNAPcloud” in the search box and press ENTER.
3. Update: Click on the Update button if available and follow the prompts.

The swift response by QNAP in fixing these vulnerabilities shows their commitment to user security.

However, this incident serves as a reminder of the constant vigilance required in the digital age, where the integrity and security of data are perpetually at risk.

Users are advised to adhere to recommended security practices and update their devices promptly to protect against potential threats.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo