Skip to main content

QNAP Fixes Several Vulnerabilities Affecting High-End NAS Devices

QNAP has released a security update addressing several vulnerabilities in their QTS and QuTS NAS operating systems

Threat ID:
CC-4586
Threat Severity:
Medium
Published:
10 December 2024 2:05 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

QNAP has released a security update addressing several vulnerabilities in their QTS and QuTS NAS operating systems

Affected platforms

The following platforms are known to be affected:

Versions: QTS 5.1.x, 5.2.x

QNAP QTS

Versions: QuTS hero h5.1.x, h5.2.x

QNAP QuTS Hero

Threat details

Introduction

QNAP has released fixes for several vulnerabilities affecting the QTS and QuTS hero operating systems. In addition to the three high severity vulnerabilities below, the security advisory also addresses two medium severity vulnerabilities and three low severity vulnerabilities. QuTS is QNAP's operating system for high-end enterprise NAS devices.

Vulnerability Details

  • CVE-2024-48865: An improper certificate validation vulnerability with a CVSSv4 score of 7.3. If exploited, an attacker with local network access could compromise the security of the system.
  • CVE-2024-48868: A CRLF Injection vulnerability with a CVSSv4 score of 8.7. If exploited, remote attackers could modify application data.
  • CVE-2024-50393: A command injection vulnerability with a CVSSv4 score of 8.7. If exploited, remote attackers could be able to execute arbitrary commands.

Remediation advice

Affected organisations are encouraged to review QNAP's Security Advisory QSA-24-49 and apply any updates.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2024-48859

An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later.
Status Published

CVE-2024-48865

An improper certificate validation vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow attackers with local network access to compromise the security of the system. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later.
Status Published

CVE-2024-48866

An improper handling of URL encoding (Hex Encoding) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to run the system into unexpected state. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later.

 
Status Published

CVE-2024-48867

An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later.
Status Published

CVE-2024-48868

An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later.
Status Published

CVE-2024-50393

A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later.
Status Published

CVE-2024-50402

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later.
Status Published

CVE-2024-50403

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.2.2.2952 build 20241116 and later.

Last edited: 10 December 2024 2:06 pm