[German]Catching up from last week – the NAS manufacturer QNAP has published a security warning for its QTS operating system for NAS stations. The critical vulnerability CVE-2023-23368 (CVSS Index 9.8) allows remote execution of commands in older QTS versions. Another vulnerability CVE-2023-23369 (CVSS Index 9.0) also allows remote attacks. Updates are available to close the vulnerability. Here is an overview of this issue.
The security alert QSA-23-31 is already dated November 4, 2023 and is titled Vulnerability in QTS, QuTS hero, and QuTScloud. CVE-2023-23368 is a command injection vulnerability that affects multiple QNAP operating system versions. Remote attackers can exploit this vulnerability to execute commands over a network. The vulnerability is classified as critical with a CVSS index of 9.8 (out of max. 10.0). The following operating system versions are affected:
- QTS 5.0.x
- QTS 4.5.x
- QuTS hero h5.0.x
- QuTS hero h4.5.x
- QuTScloud c5.0.x
The manufacturer QNAP has released the following updates, which close the above vulnerability, among others:
- QTS build 20230421 and later
- QTS build 20230416 and later
- QuTS hero h5.0.1.2376 build 20230421 and later
- QuTS hero h4.5.4.2374 build 20230417 and later
- QuTScloud c5.0.1.2374 and later
It is recommended by QNAP to update the software of existing NAS drives with the latest firmware updates to close such vulnerabilities. The procedure is described on the QNAP website.
The colleagues from Bleeping Computer also mention a second vulnerability CVE-2023-23369, which is documented in the security alert QSA-23-35 dated Nov. 4, 2023. The vulnerability has a CVSS index of 9.0 and can also be exploited remotely. Affected products are:
- QTS 5.1.x, 4.3.6, 4.3.4, 4.3.3, 4.2.x;
- Multimedia Console 2.1.x, 1.4.x;
- Media Streaming Add-on 500.1.x, 500.0.x
The vulnerability will be closed by the following software updates:
- QTS build 20230515 and later
- QTS build 20230621 and later
- QTS build 20230621 and later
- QTS build 20230621 and later
- QTS 4.2.6 build 20230621 and later
- Multimedia Console 2.1.2 (2023/05/04) and later
- Multimedia Console 1.4.8 (2023/05/05) and later
- Media Streaming add-on 500.1.1.2 (2023/06/12) and later
- Media Streaming add-on 500.0.0.11 (2023/06/16) and later
The update procedure can also be found in the advisory QSA-23-35.