QNAP has unveiled security updates to handle two critical security flaws impacting its working procedure that could final result in arbitrary code execution.
Tracked as CVE-2023-23368 (CVSS rating: 9.8), the vulnerability is described as a command injection bug influencing QTS, QuTS hero, and QuTScloud.
“If exploited, the vulnerability could enable distant attackers to execute instructions by means of a network,” the organization claimed in an advisory published above the weekend.
The shortcoming spans the down below variations –
- QTS 5..x (Mounted in QTS 5..1.2376 build 20230421 and later)
- QTS 4.5.x (Mounted in QTS 188.8.131.524 develop 20230416 and afterwards)
- QuTS hero h5..x (Fixed in QuTS hero h5..1.2376 build 20230421 and later)
- QuTS hero h4.5.x (Fixed in QuTS hero h184.108.40.2064 develop 20230417 and later on)
- QuTScloud c5..x (Preset in QuTScloud c5..1.2374 and later)
Also fixed by QNAP is an additional command injection flaw in QTS, Multimedia Console, and Media Streaming incorporate-on (CVE-2023-23369, CVSS score: 9.) that could make it possible for distant attackers to execute instructions by way of a network.
The adhering to variations of the software program are impacted –
- QTS 5.1.x (Fastened in QTS 5.1..2399 develop 20230515 and afterwards)
- QTS 4.3.6 (Fixed in QTS 220.127.116.111 establish 20230621 and later on)
- QTS 4.3.4 (Fastened in QTS 18.104.22.1681 construct 20230621 and afterwards)
- QTS 4.3.3 (Mounted in QTS 22.214.171.1240 build 20230621 and later)
- QTS 4.2.x (Fixed in QTS 4.2.6 make 20230621 and afterwards)
- Multimedia Console 2.1.x (Mounted in Multimedia Console 2.1.2 (2023/05/04) and afterwards)
- Multimedia Console 1.4.x (Mounted in Multimedia Console 1.4.8 (2023/05/05) and afterwards)
- Media Streaming incorporate-on 500.1.x (Preset in Media Streaming include-on 500.1.1.2 (2023/06/12) and afterwards)
- Media Streaming insert-on 500..x (Fastened in Media Streaming increase-on 500…11 (2023/06/16) and later on)
With QNAP gadgets exploited for ransomware attacks in the past, customers jogging a single of the aforementioned variations are urged to update to the most current edition to mitigate probable threats.
The improvement will come weeks right after the Taiwanese corporation disclosed it took down a malicious server utilized in popular brute-pressure attacks concentrating on internet-uncovered network-connected storage (NAS) products with weak passwords.
Located this article attention-grabbing? Comply with us on Twitter and LinkedIn to browse more exclusive articles we write-up.
Some pieces of this short article are sourced from: