Security Advisory

QNAP Product Security Update Advisory

  • Apr 29 2024

Overview

 

We have released an update to fix vulnerabilities in QNAP products. users of affected versions are advised to update to the latest version.

 

Affected Products

 

Cve-2024-21899, cve-2024-21900, cve-2024-21901, cve-2024-27124, cve-2024-32764, cve-2024-32766

  • QTS 5.x versions
  • QTS 4.5.x versions
  • QuTS hero h5.x versions
  • QuTS hero h4.5.x versions
  • QuTScloud c5.x version
  • myQNAPcloud 1.0.x version
  • myQNAPcloud Link 2.4.x version

 

Cve-2023-51364, cve-2023-51365

  • QTS 5.1.x version
  • QTS 4.5.x version
  • QuTS hero h5.1.x version
  • QuTS hero h4.5.x version
  • QuTScloud c5.x version

 

Resolved Vulnerabilities

 

System security compromise over the network vulnerability in QNAP operating system(CVE-2024-21899)

OS command injection over the network vulnerability in the QNAP operating system(CVE-2024-21900, CVE-2024-27124, CVE-2024-32766)

SQL Injection Vulnerability in QNAP Operating System(CVE-2024-21901)

Vulnerability in the QNAP Operating System due to missing authentication, which could allow unauthorized users to access and execute certain functions (CVE-2024-32764)

Path Traversal Vulnerabilities in the QNAP Operating System(CVE-2023-51364, CVE-2023-51365)

 

Vulnerability Patches

 

Vulnerability Patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

Cve-2024-21899, cve-2024-21900, cve-2024-21901, cve-2024-27124, cve-2024-32764, cve-2024-32766

  • QTS 5.1.3.2578 build 20231110 or at least newer
  • QTS 4.5.4.2627 build 20231225 or at least newer
  • QuTS Hero h5.1.3.2578 build 20231110 or at least newer
  • QuTS Hero h4.5.4.2626 build 20231225 or at least newer
  • QuTScloud c5.1.5.2651 build at least
  • myQNAPcloud 1.0.52 (2023/11/24) or at least
  • myQNAPcloud Link 2.4.51 or at least version

 

Cve-2023-51364, cve-2023-51365

  • QTS 5.1.4.2596 build 20231128 or at least
  • QTS 4.5.4.2627 build 20231225 or at least later
  • QuTS Hero h5.1.3.2578 build 20231110 or at least newer
  • QuTS Hero h4.5.4.2626 build 20231225 or at least newer
  • QuTScloud c5.1.5.2651 build or at least newer

 

Referenced Sites

 

[1] Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)

https://www.qnap.com/en/security-advisory/qsa-24-09

[2] Multiple Vulnerabilities in QTS, QuTS hero, and QuTScloud (PWN2OWN 2023)

https://www.qnap.com/en/security-advisory/qsa-24-14

Tags:

Previous Post

Next Post