What are the critical vulnerabilities QNAP has addressed?

Three critical vulnerabilities were addressed: 1) CVE-2024-38643 (CVSS 9.3) - authentication bypass in Notes Station 3, 2) CVE-2024-38645 (CVSS 9.4) - Server-side Request Forgery in Notes Station 3, and 3) CVE-2024-48860 (CVSS 9.5) - OS command injection in QuRouter 2.4.x products.

What product updates has QNAP released to address these vulnerabilities?

QNAP has released Notes Station 3 version 3.9.7, QuRouter version 2.4.3.106, QNAP AI Core version 3.4.1, QuLog Center versions 1.7.0.831 and 1.8.0.888, and updates for QTS 5.2.1.2930 and QuTS hero h5.2.1.2929.

What additional vulnerabilities were fixed in these updates?

Additional fixes included high-severity vulnerabilities such as command injection and unauthorized data access in Notes Station 3 (CVE-2024-38644 and CVE-2024-38646), information exposure in QNAP AI Core (CVE-2024-38647), file system traversal in QuLog Center (CVE-2024-48862), and improper handling of format strings in QTS and QuTS hero (CVE-2024-50396 and CVE-2024-50397).

Advisory

QNAP fixes critical flaws in multiple products

Q: What security recommendations has QNAP provided?

QNAP recommends users to install updates immediately and emphasizes that devices should never be directly connected to the Internet. Instead, they should be deployed behind a VPN to prevent remote exploitation of these vulnerabilities.

published: Nov. 25, 2024

Take action: If you are running QNAP NAS, NoteStation or QuRouter, review this advisory in detail. Make sure the NAS devices are not accessible from the internet. For routers that is pointless - it's their job to be on the internet. Patch ASAP.

Learn More

QNAP has addressed multiple security vulnerabilities affecting products in their ecosystem, including NAS devices, routers, and associated software applications. The most severe vulnerabilities include three critical flaws that require immediate attention from users.

Critical Vulnerabilities:

CVE-2024-38643 (CVSS score 9.3) - An authentication bypass vulnerability in Notes Station 3 that could allow remote attackers to gain unauthorized access and execute system functions without credentials
CVE-2024-38645 (CVSS score 9.4) - A Server-side Request Forgery (SSRF) vulnerability in Notes Station 3 allowing authenticated remote attackers to manipulate server-side behavior
CVE-2024-48860 (CVSS score 9.5) - A OS command injection vulnerability in QuRouter 2.4.x products enabling remote attackers to execute commands on the host system

The company has released patches for several affected products and their associated versions:

Notes Station 3 has been updated to version 3.9.7, addressing both critical flaws along with two high-severity vulnerabilities (CVE-2024-38644 and CVE-2024-38646) related to command injection and unauthorized data access, scored at 8.7 and 8.4 respectively.

QuRouter has been updated to version 2.4.3.106, fixing both the critical command injection flaw and a less severe vulnerability (CVE-2024-48861).

Additional high-severity fixes have been implemented across multiple products:

QNAP AI Core version 3.4.1: Addresses information exposure vulnerability (CVE-2024-38647)
QuLog Center versions 1.7.0.831 and 1.8.0.888: Fixes file system traversal issue (CVE-2024-48862)
QTS 5.2.1.2930 and QuTS hero h5.2.1.2929: Resolves improper handling of format strings (CVE-2024-50396 and CVE-2024-50397)

No attacks exploiting these vulnerabilities have been reported by QNAP at the time of the announcement.

QNAP recommends users to install these updates immediately and emphasizes that devices should never be directly connected to the Internet. Instead, they should be deployed behind a VPN to prevent remote exploitation of these vulnerabilities.

QNAP fixes critical flaws in multiple products

Read More
Fortinet Patches Critical FortiOS SSO Authentication Bypass Under …
IngressNightmare: critical Kubernetes vulnerabilities in ingress NGINX controller
Critical authentication bypass flaw in HCL BigFix WebUI …
Newest Ivanti critical vulnerability massively exploited
CISA warns that SolarWinds Web Help Desk flaw …