QNAP is sounding the alarm on its NAS devices, saying they’re vulnerable to flaws that could result in dangerous cyberattacks.
The company has said some of its QTS, QuTS hero, QuTScloud, and myQNAPcloud products were vulnerable to three distinct flaws, one of which was particularly dangerous.
That flaw is tracked as CVE-2024-21899, and described as an improper authentication mechanism. Hackers can use this vulnerability, the company explained, to remotely compromise the target system’s security, through the network. The other two vulnerabilities are tracked as CVE-2024-21900, and CVE-2024-21901. The former allows for arbitrary command execution, while the latter malicious SQL code injection. The difference between these two, and the first one, is that only the first one can be abused remotely, and without the need for authentication upfront.
Patch, or face the consequences
The versions of QNAP’s operating system vulnerable to these flaws are QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and the myQNAPcloud 1.0.x service.
To defend against potential attackers, QNAP NAS users are advised to upgrade their instances to these versions:
QTS 5.1.3.2578 build 20231110 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.3.2578 build 20231110 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
myQNAPcloud 1.0.52 (2023/11/24) and later
QNAP’s NAS devices are popular among SMBs, which makes them a major target for cybercrooks. The Taiwanese manufacturer often discovers, and patches, high severity and critical vulnerabilities, and users are advised to keep track and apply the patch at the earliest moment.
Roughly a month ago, QNAP patched 24 vulnerabilities across its product range, including two high-severity flaws that could enable command execution, and in late January, QNAP patched a dangerous flaw affecting QTS 5.0.1 and QuTS hero h.5.0.1.
Via BleepingComputer
More from TechRadar Pro
Services Marketplace – Listings, Bookings & Reviews