QNAP releases patches for two vulnerabilities, severity unclear. Patch if possible.

The Taiwanese network-attached storage (NAS) manufacturer QNAP has disclosed two new vulnerabilities, with one being identified as a zero-day actively exploited. The reserach was made in collaboration with researchers at Unit 42 of Palo Alto Networks,

•  CVE-2023-50358, has been given a severity score of 5.8 out of 10 by QNAP, suggesting a high-complexity attack with low impact. However, Unit 42's analysis contrasts sharply, highlighting the vulnerabilities as having low attack complexity and critical impact, emphasizing the urgency in securing IoT devices against such threats. The German Federal Office for Information Security (BSI) also issued an emergency alert, indicating the potential for major damage from successful exploits and urging the application of patches. CVE-2023-50358, is a command injection flaw found in the quick.cgi component of QNAP's QTS firmware, which is prevalent across most of their NAS devices. This flaw allows for arbitrary command execution by manipulating the HTTP request parameter `todo=set_timeinfo` to save untrusted data in a configuration file, which is then executed using the system command. This exposes the devices to remote code execution risks.
• CVE-2023-47218 is the second patched vulnerability, also assigned a CVSS score of 5.9. Technical information about this vulnerability is not disclosed in QNAP's advisory.

QNAP has issued patches for multiple different firmware versions across its products, including QTS, QuTS hero, and QuTAcloud, each with specific recommendations for updating or mitigating the vulnerabilities.