QNAP releases multiple patches, including two high severity

QNAP Systems, a Taiwan-based manufacturer of NAS systems and CCTV video recorders has released a series of patches to vulnerabilities affecting its products, with an emphasis on two high-severity flaws that pose a risk of command execution via OS command injection.

The critical vulnerabilities, tracked as CVE-2023-45025 (CVSS score 9) and CVE-2023-39297 (CVSS score 8.8), impact

• QTS versions 5.1.x and 4.5.x,
• QuTS hero versions h5.1.x and h4.5.x,
• QuTScloud version 5.x.

The CVE-2023-45025 vulnerability allows for command execution over the network under certain configurations without the need for authentication, while CVE-2023-39297 requires authentication for exploitation.

Additionally, QNAP has patched other vulnerabilities, including CVE-2023-47567, an OS command injection vulnerability, and CVE-2023-47568, an SQL injection flaw, both of which also necessitate administrator-level authentication for exploitation. These vulnerabilities were addressed in updated versions of QTS, QuTS hero, and QuTScloud.

A third high-severity issue, tracked as CVE-2023-47564, affecting Qsync Central versions 4.4.x and 4.3.x, was identified as an incorrect permission assignment for critical resources, allowing authenticated users to potentially read or modify sensitive data over a network. This vulnerability has been resolved in the latest releases of Qsync Central.

In addition to these high-severity flaws, QNAP has released fixes for multiple medium-severity vulnerabilities that could lead to various security risks, including code execution, denial-of-service (DoS) attacks, command execution, restriction bypass, sensitive data leakage, and code injection. QNAP has not reported any active exploitation of these vulnerabilities in attacks.