QNAP has released security updates to deal with two critical security flaws impacting its functioning procedure that could outcome in arbitrary code execution.
Tracked as CVE-2023-23368 (CVSS score: 9.8), the vulnerability is explained as a command injection bug impacting QTS, QuTS hero, and QuTScloud.
“If exploited, the vulnerability could allow distant attackers to execute commands by means of a network,” the company explained in an advisory posted above the weekend.
The shortcoming spans the beneath variations –
- QTS 5..x (Fixed in QTS 5..1.2376 build 20230421 and later)
- QTS 4.5.x (Preset in QTS 4.5.4.2374 construct 20230416 and later on)
- QuTS hero h5..x (Preset in QuTS hero h5..1.2376 make 20230421 and afterwards)
- QuTS hero h4.5.x (Set in QuTS hero h4.5.4.2374 construct 20230417 and afterwards)
- QuTScloud c5..x (Set in QuTScloud c5..1.2374 and afterwards)
Also fixed by QNAP is a further command injection flaw in QTS, Multimedia Console, and Media Streaming insert-on (CVE-2023-23369, CVSS score: 9.) that could permit distant attackers to execute commands by way of a network.
The next variations of the software package are impacted –
- QTS 5.1.x (Fixed in QTS 5.1..2399 establish 20230515 and later)
- QTS 4.3.6 (Mounted in QTS 4.3.6.2441 establish 20230621 and later)
- QTS 4.3.4 (Set in QTS 4.3.4.2451 make 20230621 and later on)
- QTS 4.3.3 (Preset in QTS 4.3.3.2420 develop 20230621 and later on)
- QTS 4.2.x (Fixed in QTS 4.2.6 construct 20230621 and later)
- Multimedia Console 2.1.x (Preset in Multimedia Console 2.1.2 (2023/05/04) and later)
- Multimedia Console 1.4.x (Fastened in Multimedia Console 1.4.8 (2023/05/05) and later)
- Media Streaming insert-on 500.1.x (Mounted in Media Streaming include-on 500.1.1.2 (2023/06/12) and later on)
- Media Streaming include-on 500..x (Set in Media Streaming increase-on 500…11 (2023/06/16) and afterwards)
With QNAP devices exploited for ransomware attacks in the past, people operating a single of the aforementioned variations are urged to update to the newest model to mitigate opportunity threats.
The growth arrives weeks right after the Taiwanese corporation disclosed it took down a destructive server utilised in prevalent brute-pressure assaults focusing on internet-uncovered network-connected storage (NAS) units with weak passwords.
Discovered this posting exciting? Observe us on Twitter and LinkedIn to browse a lot more special content material we put up.
Some parts of this article are sourced from:
thehackernews.com