In context: Community-attached storage (NAS) units manufactured by QNAP are common for file sharing, virtualization, surveillance, and storage administration functions. The company can also be well-known for its buggy NAS firmware releases, with some points bringing important vulnerabilities to the networks connected to these units.
Taiwan-based NAS producer QNAP urges machine homeowners to carry out firmware updates as quickly as doable as a result of cyber-criminals might simply compromise them because of a newly found essential safety vulnerability. The flaw is a part of three not too long ago unveiled bugs that builders have already patched within the firm’s many Linux-based community and cloud functions working methods.
A safety bulletin (QSA-24-09) lists a number of flaws affecting “sure” working system variations. Essentially the most extreme situation (CVE-2024-21899) issues an improper authentication vulnerability that would permit malicious customers to compromise NAS safety by way of a community. The NIST database lists the safety gap with a “essential” rating of 9.8, noting that expert (and motivated) cyber-criminals might simply exploit the bug.
Different flaws in QNAP’s software program embody an injection vulnerability (CVE-2024-21900) that would permit authenticated customers to execute instructions by way of a community and an SQL injection vulnerability (CVE-2024-21901) that would allow authenticated directors to inject malicious code on the myQNAPcloud platform. Each flaws have a “medium” NIST rating, which means they need to not pose the identical excellent menace to NAS safety as CVE-2024-21899.
The corporate has already launched up to date firmware to repair the three bugs and marked the safety bulletin as “Resolved.” The affected merchandise embody QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and myQNAPcloud 1.0.x. Homeowners and admins ought to instantly run common replace duties for his or her NAS methods and functions. The newest firmware variations will present valuable safety fixes and enhance their community storage expertise.
Detailed directions on discovering and putting in not too long ago launched firmware, with totally different replace paths described for QTS, QuTS hero, QuTScloud, and the cloud-focused myQNAPcloud platform, can be found. Clients and system directors ought to browse QNAP’s product assist standing web page to see the most recent updates for his or her particular NAS mannequin.
