Multiple software vulnerabilities jeopardize Qnap NAS

Important security updates have been released for various Qnap NAS models. If attacks are successful, attackers can, in the worst case, execute their own commands and compromise devices. Qnap's router operating system QuRouter OS is also vulnerable.

According to the security section of the Qnap website, in addition to the NAS operating systems QTS and QuTS hero, the NAS applications AI Core, OpenSSH, Media Streamin Add-on, Notes Station 3 and QuLog Center are also vulnerable.

So far, Qnap has not reported any attacks. Nevertheless, owners of NAS devices should install the available security updates as soon as possible.

Several vulnerabilities closed

The vulnerability in QuLog Center (CVE-2024-48862"high") allows unauthorized access to data. A"critical" vulnerability (CVE-2024-38645) in Notes Station 3 also allows data to be leaked. The majority of vulnerabilities in QTS and QuTS hero are classified as"medium" (e.g. CVE-2024-37024). In this example, attackers can gain higher user rights.

If attackers successfully exploit the vulnerabilities (CVE-2024-48860"critical", CVE-2024-48861"high") in QuRouter, they can execute their own commands. Based on the classifications, it can be assumed that they will subsequently gain full control over devices. Photo Station is vulnerable to an XSS attack (CVE-2024-32767"medium").

These issues are protected against the attacks described:

• AI Core as of 3.4.1
• QuLog Center from 1.7.0.831 (2024/10/15), 1.8.0.888 (2024/10/15) and later
• QuRouter as of 2.4.3.106
• QTS from 5.2.1.2930 build 20241025
• QuTS hero from h5.2.1.2929 build 20241025
• Note Station 3 as of 3.9.7
• Photo Station as of 6.4.3 (2024/07/12)
• Media Streaming Add-on as of 500.1.1.6 (2024/08/02)

Only recently a security update caused problems and Qnap has withdrawn it.

(des)