QNAP fixes critical authentication flaw in it's QTS, QuTS and myQNAPcloud

QNAP, a manufacturer of Network Attached Storage (NAS) devices based in Taiwan, has issued an advisory alerting users to critical vulnerabilities discovered in its NAS software.

These software products include QTS, QuTS hero, QuTScloud, and myQNAPcloud.

The criticall issue is tracked as CVE-2024-21899 (CVSS score 9.8), a critical authentication bypass flaw. The vulnerability can be exploited remotely without any need for authentication using a low complexity attack.

The other two vulnerabilities, CVE-2024-21900 (CVSS score 4.3) and CVE-2024-21901 (CVSS score 4.7), are less severe. CVE-2024-21900 enables authenticated users to execute arbitrary commands over the network, which could lead to unauthorized access or control of the system. CVE-2024-21901 allows authenticated administrators to conduct SQL injection attacks that could compromise the integrity of the database and manipulate its contents.

The vulnerabilities affect various versions of QNAP's operating systems, including QTS versions 5.1.x and 4.5.x, QuTS hero versions h5.1.x and h4.5.x, QuTScloud version c5.x, and the myQNAPcloud service version 1.0.x.

To mitigate these issues, QNAP urges users to upgrade to the latest versions that address these issues:

• QTS 5.1.3.2578 build 20231110 and later
• QTS 4.5.4.2627 build 20231225 and later
• QuTS hero h5.1.3.2578 build 20231110 and later
• QuTS hero h4.5.4.2626 build 20231225 and later
• QuTScloud c5.1.5.2651 and later
• myQNAPcloud 1.0.52 (2023/11/24) and later

For updating, users of QTS, QuTS hero, and QuTScloud should access the system's 'Control Panel > System > Firmware Update' and click 'Check for Update' to initiate the automatic installation process. Similarly, to update myQNAPcloud, users must log in as admin, navigate to the 'App Center,' search for "myQNAPcloud," and select 'Update' to begin the update process.