Skip to main content

QNAP Releases Security Updates for Multiple Products

The most serious vulnerabilities could allow a remote unauthenticated attacker to gain unauthorised access to QNAP products

Threat ID:
CC-4581
Threat Severity:
Medium
Published:
27 November 2024 1:05 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The most serious vulnerabilities could allow a remote unauthenticated attacker to gain unauthorised access to QNAP products

The following platforms are also known to be affected:

  • OpenSSH
  • Vulnerability in Media Streaming Add-on

Threat details

Introduction

QNAP has released eight advisories for multiple products including Note Station 3, Photo Station, AI Core, QuLog Center, QuRouter, QTS, and QuTS.

The most critical vulnerability, CVE-2024-38643, has a CVSSv3 score of 9.8 and affects Note Station 3. A remote unauthenticated attacker could exploit CVE-2024-38643 to gain unauthorised access to the system. 

Remediation advice

Affected organisations are encouraged to review the relevant QNAP Security Advisories and apply any applicable updates.

CVE Vulnerabilities

Status Published

CVE-2024-38643

A missing authentication for critical function vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote attackers to gain access to and execute certain functions. 
Status Published

CVE-2024-38644

An OS command injection vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to execute commands. 
Status Published

CVE-2024-50396

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to obtain secret data or modify memory. 
Status Published

CVE-2024-50397

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.1.2930 build 20241025 and later QuTS hero h5.2.1.2929 build 20241025 and later
Status Published

CVE-2024-50398

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secret data or modify memory.
Status Published

CVE-2024-50399

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secret data or modify memory. 
Status Published

CVE-2024-50400

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secret data or modify memory. 
Status Published

CVE-2024-50401

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secret data or modify memory.

Last edited: 27 November 2024 1:05 pm