QNAP fixes multiple flaws, at least two critical in their NAS QTS and QuTS operating systems

QNAP has disclosed multiple critical vulnerabilities affecting their QTS and QuTS hero operating systems, which are used across their NAS (Network Attached Storage) device lineup that serves over 6 million users worldwide. The potential impact of these vulnerabilities includes remote code execution, denial of service (DoS), data manipulation, and information disclosure.

The vulnerabilities include:

• CVE-2024-48859 (CVSS score 9.8) - Improper Authentication - Allows remote attackers to compromise system security
• CVE-2024-48865 (CVSS score 9.1) - Improper Certificate Validation - Exploitable by attackers with local network access. Could lead to security compromise
• CVE-2024-48866 (CVSS score 9.4) - URL Encoding Handling - Enables remote attackers to cause system instability. Can result in unexpected system states
• CVE-2024-48867 (CVSS score 8.2), CVE-2024-48868 (CVSS score 8.2) - CRLF Injection - Allows remote attackers to modify application data. Impacts data integrity
• CVE-2024-50393 (CVSS score 9.8) - Command Injection - Enables execution of arbitrary commands by remote attackers. High severity due to potential system compromise
• CVE-2024-50402 (CVSS score 9.8), CVE-2024-50403 (CVSS score 9.8) - Format String - Allows attackers with admin access to obtain secret data. Can be used to modify system memory

Affected Systems:

• QTS versions 5.1.x and 5.2.x
• QuTS hero versions h5.1.x and h5.2.x

QNAP has released patches for all affected systems:

• QTS 5.1.x: Update to 5.1.9.2954 (November 20, 2024)
• QTS 5.2.x: Update to 5.2.2.2950 (November 14, 2024)
• QuTS hero h5.1.x: Update to h5.1.9.2954 (November 20, 2024)
• QuTS hero h5.2.x: Update to h5.2.2.2952 (November 16, 2024)

Given that QNAP NAS devices often store sensitive data including financial records and backups, the risk to organizations is significant.