CVE-2020-2490 & CVE-2020-2492: QNAP QTS Command Injection Vulnerabilities Alert

Network-attached storage device (NAS) developer QNAP recently issued a reminder that two security vulnerabilities have been discovered in the QTS operating system and have been repaired.

However, users must upgrade the QTS operating system of their own devices to the latest version. Both of these vulnerabilities are command injection vulnerabilities and are therefore highly harmful.

QNAP did not elaborate on how these vulnerabilities work, but usually, command injection vulnerabilities can easily allow an attacker to directly take over the entire device.

The security vulnerabilities that appeared this time were numbered CVE-2020-2490 and CVE-2020-2492, both of which were classified as command injection vulnerabilities.

CVE-2020-2490

Image: QNAP

QNAP’s NAS devices provide an environment for file storage, file sharing, and file backup. If an attacker takes advantage of the vulnerability to take over the device, it will be more harmful to users.

QNAP stated that users should at least upgrade their operating system to version QTS 4.4.3.1421 build 20200907, if it is lower than this version, it will be affected by the vulnerability.

Earlier, the company also warned that certain low-version operating systems were affected by the Windows Zerologon vulnerability.

Based on security considerations, it is recommended that users use the administrator account to log in to the QNAP device and go to Control Panel > System > Firmware Update, under Live Update, click Check for Update.

Via: bleepingcomputer