NAS vendor QNAP Techniques has urgently issued patches for no fewer than 24 vulnerabilities throughout its product vary, together with two high-severity flaws that would allow command execution.
Regardless of the severity of those vulnerabilities, QNAP has not reported any cases of those bugs being exploited within the wild. The Taiwan-based agency’s transfer is extra of a proactive measure towards probably extremely damaging exploits.
In response to Safety Week, probably the most regarding vulnerabilities, known as CVE-2023-45025 and CVE-2023-39297, are OS command injection flaws. These flaws are current in QTS variations 5.1.x and 4.5.x, QuTS hero variations h5.1.x and h4.5.x, and QuTScloud model 5.x. The primary of those could be manipulated by customers to execute instructions throughout a community underneath sure system configurations, whereas the second requires authentication for profitable exploitation.
Patch now!
QNAP has additionally launched patches for 2 further vulnerabilities, CVE-2023-47567 and CVE-2023-47568. These remotely exploitable flaws are current in QTS, QuTS hero, and QuTScloud and require administrator authentication for profitable exploitation. The previous is an OS command injection, whereas the latter is an SQL injection vulnerability.
All 4 of those safety defects have been addressed within the newest QTS, QuTS hero, and QuTScloud variations. One other high-severity vulnerability, CVE-2023-47564, affecting Qsync Central variations 4.4.x and 4.3.x, has additionally been patched. This bug might permit authenticated customers to learn or modify vital sources over a community.
Along with these high-severity flaws, QNAP has patched a number of medium-severity vulnerabilities that would result in code execution, DoS assaults, command execution, restrictions bypass, leakage of delicate knowledge, and code injection.
For extra detailed data on these vulnerabilities, customers are suggested to go to QNAP’s safety advisories web page.
