Network storage: Qnap closes security gaps from hacker competition Pwn2Own
NAS models from Qnap are vulnerable. The manufacturer has now released security updates for the operating system and apps.
(Bild: AFANASEV IVAN/Shutterstock.com)
Attackers can attack various Qnap network storage models and, among other things, gain unauthorized access to files. The provider of network solutions has now made security patches available for download.
Patch now!
Two of the closed gaps (CVE-2023-51364 "high", CVE-2023-51365 "high") originate from the Pwn2Own 2023 hacker competition. In a warning message, Qnap writes that attackers can access folders that are actually sealed off in the course of a path traversal attack in order to disclose sensitive data in the network. It is not yet clear how such an attack could take place in detail.
Owners of NAS devices should ensure that at least one of the following versions of the operating systems QTS, QuTS hero or QuTScloud is installed in the settings:
- QTS 5.1.4.2596 build 20231128
- QTS 4.5.4.2627 build 20231225
- QuTS hero h5.1.3.2578 build 20231110
- QuTS hero h4.5.4.2626 build 20231225
- QuTScloud c5.1.5.2651
Other vulnerabilities
Attackers can also exploit a vulnerability (CVE-2023-47222 "high") in the Media Streaming Add-on. If such an attack succeeds, security mechanisms can be bypassed. Issue 500.1.1.5 (2024/01/22) is equipped against this.
The QuFirewall and Squid add-ons are also vulnerable. In the case of QuFirewall, however, an attacker must already be an admin to be able to leak data in the course of an attack. Version 2.4.1 (2024/02/01) provides a remedy here. With Squid, the proxy server is vulnerable. At this point, the developers have closed the vulnerabilities (CVE-2023-5824 "medium", CVE-2023-46724 "medium", CVE-2023-46846 "medium", CVE-2023-46847) in version 1.4.6 .
(des)
