QNAP patches authentication bypass issue on its NAS

QNAP has issued a warning about vulnerabilities found in QTS, QuTS hero, QuTScloud, and myQNAPcloud components. These flaws could allow attackers to gain access to users’ devices.

The manufacturer has fixed three vulnerabilities that could lead to authentication bypass, command injections, and SQL injections. While the latter two bugs require the attacker to be authenticated in the target system, thus reducing risks, the first bug (CVE-2024-21899) can be exploited remotely and without authentication.

QNAP describes the vulnerabilities as follows:

  • CVE-2024-21899: Insufficient authentication mechanisms allow unauthorized users to remotely compromise system security.
  • CVE-2024-21900: Authenticated users can execute arbitrary commands on the system over the network, potentially leading to unauthorized access to or control of the system.
  • CVE-2024-21901: Allows authenticated administrators to inject malicious SQL code over the network, potentially leading to database integrity breaches and manipulation of its content.

The listed vulnerabilities affect various versions of QNAP’s operating systems, including QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and the myQNAPcloud service 1.0.x.

Users are advised to update to the following versions as soon as possible, where all three issues have been resolved:

  • QTS 20231110 and later versions;
  • QTS 20231225 and later versions;
  • QuTS hero h5.1.3.2578 20231110 and later versions;
  • QuTS hero h4.5.4.2626 20231225 and later versions;
  • QuTScloud c5.1.5.2651 and later versions;
  • myQNAPcloud 1.0.52 (2023/11/24) and later versions.
0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment