Qnap: Numerous updates for several products

Qnap provided a whole series of software updates for numerous devices and additional functions at the weekend. In the NAS operating system QTS and QuTS hero, the developers classify some vulnerabilities as high risk.

Qnap has issued a total of 13 security bulletins. Three high-risk vulnerabilities in QTS 5.1x and QuTS hero h5.1.x allow attackers to inject and execute their own code or inject their own commands into vulnerable devices. In some cases, malicious actors need user access to do this. In one case, attackers can remotely inject commands if they have previously obtained admin rights (CVE-2024-32763, CVE-2024-38641, CVE-2024-21906). The versions QTS 5.1.8.2823 Build 20240712 and QuTS hero h5.1.8.2823 Build 20240712 or newer correct the errors.

Additional functions with security vulnerabilities

Qnap also classifies security leaks in the Video Station add-on software as a high risk. Attackers can inject commands into the operating system from the network in Video Station 5.x (CVE-2023-47563) or abuse an SQL injection vulnerability to smuggle in malicious code (CVE-2023-50360). The programmers have closed the gaps in Video Station 5.8.2 and newer versions.

Qnap has also closed other vulnerabilities with a medium or low threat level in the following products: Notes Station 3 3.9.x, QVR Smart Client 2.4.x, Music Station 5.x, in outdated QTS versions (4.3.6, 4.3.4, 4.3.3, 4.2.6), in curl and generally in QTS 5.1.x and QuTS hero h5.1.x, Helpdesk 3.3.x, QuLog Center 1.7.x and 1.8.x, QuMagie 2.3.x and in Download Station 5.8.x.

Anyone using these products should check whether the operating systems and additional software are already up to date or initiate an update if necessary.

In May, IT security researchers discovered various security vulnerabilities in Qnap NAS. Security patches were not available for all of them at the time; exploit code was already available for one of the gaps.

(dmk)