### #QNAPSecurity #NASVulnerabilities #RemoteExploitation
Summary: QNAP has issued a security advisory for multiple vulnerabilities in its License Center and QTS/QuTS hero operating systems, some of which could allow remote attackers to execute arbitrary commands. Users are urged to update their systems to mitigate these risks.
Threat Actor: Unknown | unknown
Victim: QNAP Users | QNAP
Key Point :
- A critical command injection vulnerability (CVE-2024-48863) in License Center could allow remote attackers to gain complete control of the system.
- Multiple vulnerabilities in QTS and QuTS hero include improper authentication and certificate validation, posing significant security risks.
- QNAP recommends users update to License Center version 1.9.43 or later and the latest versions of QTS and QuTS hero to protect against these vulnerabilities.
QNAP, a leading provider of network-attached storage (NAS) solutions, has issued a security advisory addressing multiple vulnerabilities affecting its License Center and QTS/QuTS hero operating systems. The vulnerabilities range in severity from low to high, with the most severe potentially allowing remote attackers to execute arbitrary commands.
License Center Vulnerability
A critical command injection vulnerability (CVE-2024-48863, CVSS 7.7) has been identified in License Center versions 1.9.x. If exploited, this vulnerability could allow remote attackers to gain complete control of the system. QNAP urges users to update License Center to version 1.9.43 or later to remediate this vulnerability.
QTS and QuTS hero Vulnerabilities
Several vulnerabilities have also been discovered in QTS and QuTS hero operating systems, including:
- Improper Authentication (CVE-2024-48859): This vulnerability could allow remote attackers to compromise the security of the system.
- Improper Certificate Validation (CVE-2024-48865): This vulnerability could allow attackers with local network access to compromise system security.
- Improper Handling of URL Encoding (CVE-2024-48866): This vulnerability could allow remote attackers to cause unexpected system behavior.
- CRLF Injection Vulnerabilities (CVE-2024-48867, CVE-2024-48868): These vulnerabilities could allow remote attackers to modify application data.
- Command Injection Vulnerability (CVE-2024-50393, CVSS 8.7): This vulnerability could allow remote attackers to execute arbitrary commands.
- Use of Externally-Controlled Format String (CVE-2024-50402, CVE-2024-50403): These vulnerabilities could allow remote attackers with administrator access to obtain sensitive data or modify memory.
QNAP has released updated versions of QTS and QuTS hero to address these vulnerabilities. Users are strongly advised to update their systems to the latest versions as soon as possible.
Recommendations for QNAP Users
To protect their systems from these vulnerabilities, QNAP users should take the following actions:
- Update License Center: Update to License Center version 1.9.43 or later.
- Update QTS and QuTS hero: Update to the latest versions of QTS and QuTS hero.
By taking these steps, QNAP users can significantly reduce their risk of falling victim to cyberattacks targeting these vulnerabilities.