Security Alert: QNAP Tackles 15 Unique System Vulnerabilities

QNAP Systems published security advisories for 15 vulnerabilities, each posing a unique challenge to the integrity of their systems. From OS command injections to SQL injections, each flaw uncovered in their operating systems and applications underscored the relentless need for robust security protocols.

TS-1655 NAS

1. OS command injection vulnerability in QcalAgent: CVE-2023-41289 (CVSS 6.3)

The QcalAgent was susceptible to an OS command injection vulnerability, a precarious flaw that could have allowed authenticated users to execute commands across a network. This vulnerability, if left unaddressed, could have opened doors for cyber attackers to manipulate system functionalities from afar.

2. Prototype Pollution in QTS and QuTS hero: CVE-2023-39296 (CVSS 7.5)

A more insidious form of vulnerability, prototype pollution, was identified in certain versions of QNAP operating systems. The potential for remote users to override existing attributes with incompatible types posed a significant threat, potentially leading to system crashes.

3. Administrative Overreach in QTS and QuTS hero: CVE-2023-39294 (CVSS 6.6)

Another OS command injection vulnerability was identified, this time within the QTS and QuTS hero systems. The flaw could empower authenticated administrators with undue capabilities to execute network commands, a sobering reminder of the delicate balance in administrative controls.

4. Cross-Site Scripting and Command Injection in QuMagie: CVE-2023-47559 (CVSS 5.5) & CVE-2023-47560 (CVSS 7.4)

QuMagie, a popular photo management application, wasn’t immune to vulnerabilities. It suffered from a cross-site scripting vulnerability and an OS command injection flaw, both of which could enable authenticated users to inject malicious code or execute commands via a network.

5. SQL Injection in QuMagie: CVE-2023-47219 (CVSS 3.5)

QuMagie was also vulnerable to an SQL injection, a critical security flaw allowing authenticated users to tamper with the database by injecting malicious SQL statements.

6. Video Station’s Dual Threats: CVE-2023-41287 (CVSS 4.3) & CVE-2023-41288 (CVSS 8.8)

Video Station, another QNAP application, was found with two vulnerabilities – an SQL injection and an OS command injection, both posing serious risks to data integrity and system control.

7. Netatalk’s High-Risk Vulnerability: CVE-2022-43634 (CVSS 9.8)

A major vulnerability in Netatalk, affecting specific QNAP operating system versions, highlighted the need for continual monitoring and updating of third-party applications integrated within broader system architectures.

8. A Series of Buffer Copy Flaws in QTS and QuTS hero: CVE-2023-45039 to CVE-2023-45044 (CVSS 3.8)

A cluster of vulnerabilities related to buffer copy without checking the size of input were found in QTS and QuTS hero. These vulnerabilities, though seemingly minor with a CVSS score of 3.8, could have allowed authenticated administrators to execute code across a network, emphasizing the need for precise coding practices.

QNAP’s response to these vulnerabilities was swift and effective, with patches and updated versions released to counter each threat. The fixed versions for each vulnerability, ranging from QcalAgent 1.1.8 to QTS 5.1.4.2596, resolved the immediate issues and served as a testament to the company’s commitment to cybersecurity.

QNAP users are advised to apply the available security updates as soon as possible.