Security updates: Attackers can compromise Qnap NAS
Qnap network storage devices are vulnerable. Attackers can target several weak points.
(Image: Tatiana Popova/Shutterstock.com)
Qnap's NAS operating systems QTS and QuTS hero are vulnerable. Security vulnerabilities in the License Center and Qsync Central apps can also serve as a gateway. NAS owners should ensure that the latest security patches are installed.
No attacks spotted so far
According to a warning message, the developers have closed a total of eight security vulnerabilities in QTS and QuTS hero. Three of these are classified as"high" threat level (CVE-2024-50393, CVE-2024-48868, CVE-2024-48865). If attackers successfully exploit the vulnerabilities, they can execute their own commands, among other things. In most cases, attacks are possible remotely. However, it is not yet clear how such an attack could take place in detail.
Videos by heise
The vulnerabilities were discovered by participants in the Pwn2Own hacking competition. These versions are equipped against possible attacks:
- QTS 5.1.9.2954 build 20241120
- QTS 5.2.2.2950 build 20241114
- QuTS hero h5.1.9.2954 build 20241120
- QuTS hero h5.2.2.2952 build 20241116
In addition, remote attackers can exploit vulnerabilities in License Center (CVE-2024-48863"high") and Qsync Central (CVE-2024-50404"medium"). The execution of custom commands is also conceivable here. License Center 1.9.43 and Qsync Central 4.4.0.16_20240819 (2024/08/19) provide a remedy. So far there are no indications of ongoing attacks.
(des)
