What are the vulnerabilities affecting QNAP NAS devices?

The vulnerabilities affecting QNAP NAS devices are CVE-2023-23368, with a CVSS score of 9.8, and CVE-2023-23369, with a CVSS score of 9.0. They affect various versions of the QTS operating system, QuTS hero, QuTScloud, the Multimedia Console, and Media Streaming add-on.

Which versions of QNAP's operating systems and applications are affected?

Affected versions include various builds of QTS 5.0.x, QTS 4.5.x, QuTS hero h5.0.x, QuTS hero h4.5.x, QuTScloud c5.0.x for CVE-2023-23368, and builds of QTS 5.1.x, QTS 4.3.6, QTS 4.3.4, QTS 4.3.3, QTS 4.2.x, Multimedia Console 2.1.x, Multimedia Console 1.4.x, Media Streaming add-on 500.1.x, and Media Streaming add-on 500.0.x for CVE-2023-23369.

Have QNAP devices been targeted by ransomware attacks in the past?

Yes, in the past, QNAP devices were targeted by ransomware attacks that exploited vulnerabilities to encrypt devices.

Advisory

NAS vendor QNAP warns of critical vulnerabilities in QTS OS

Q: What has QNAP Systems done about the security vulnerabilities in its NAS devices?

QNAP Systems has addressed two critical security vulnerabilities that could allow remote attackers to execute arbitrary commands through the network. These vulnerabilities are tracked as CVE-2023-23368 and CVE-2023-23369.

Q: How can administrators update their QNAP NAS devices to fix these vulnerabilities?

Administrators can update their systems by navigating to the Firmware Update section in the Control Panel of their NAS device or by downloading the updates manually from QNAP's website.

published: Nov. 6, 2023

Take action: If you are using QNAP devices, lock them from access to the public internet and patch as soon as possible

Learn More

QNAP Systems, a Taiwanese company that specializes in network-attached storage (NAS) appliances has addressed two critical security vulnerabilities in its network-attached storage (NAS) devices that could allow remote attackers to execute arbitrary commands through the network.

The vulnerabilities are tracked as

CVE-2023-23368, (CVSS score 9.8) affects various versions of the QTS operating system, as well as QuTS hero and QuTScloud, with specific versions outlined as vulnerable.
CVE-2023-23369, (CVSS score 9.0) impacts additional versions of QTS and extends to the Multimedia Console and Media Streaming add-on.

QNAP has provided updates to fix these vulnerabilities in multiple versions of their operating systems and applications:

For CVE-2023-23368

Affected Product	Fixed Version
QTS 5.0.x	QTS 5.0.1.2376 build 20230421 and later
QTS 4.5.x	QTS 4.5.4.2374 build 20230416 and later
QuTS hero h5.0.x	QuTS hero h5.0.1.2376 build 20230421 and later
QuTS hero h4.5.x	QuTS hero h4.5.4.2374 build 20230417 and later
QuTScloud c5.0.x	QuTScloud c5.0.1.2374 and later

For CVE-2023-23369

Affected Product	Fixed Version
QTS 5.1.x	QTS 5.1.0.2399 build 20230515 and later
QTS 4.3.6	QTS 4.3.6.2441 build 20230621 and later
QTS 4.3.4	QTS 4.3.4.2451 build 20230621 and later
QTS 4.3.3	QTS 4.3.3.2420 build 20230621 and later
QTS 4.2.x	QTS 4.2.6 build 20230621 and later
Multimedia Console 2.1.x	Multimedia Console 2.1.2 (2023/05/04) and later
Multimedia Console 1.4.x	Multimedia Console 1.4.8 (2023/05/05) and later
Media Streaming add-on 500.1.x	Media Streaming add-on 500.1.1.2 (2023/06/12) and later
Media Streaming add-on 500.0.x	Media Streaming add-on 500.0.0.11 (2023/06/16) and later

Administrators are advised to update their systems by navigating to the Firmware Update section in the Control Panel of their NAS device or by downloading the updates manually from QNAP's website. In the past QNAP devices were targeted by ransomware attacks, exploiting vulnerabilities to encrypt devices.

NAS vendor QNAP warns of critical vulnerabilities in QTS OS

Read More
Canon issues patch for seven critical issues in …
Mozilla releases Firefox patches, fixes 15 vulnerabilities including …
Google releases Chrome 128 fixing eight high severity …
Google Patches High-Severity V8 Race Condition in Chrome …
Limit your trust in Social media apps - …