Qnap Security Advisory Bulletin ID: QSA-21-23, QSA-21-24 and QSA-21-25
Concerning out-of-bounds read vulnerability in QSS, inclusion of sensitive information in QSS, and improper access control vulnerability in Helpdesk
This is a Press Release edited by StorageNewsletter.com on June 18, 2021 at 2:30 pmQNAP Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of company’s products.
Use the following information and solutions to correct the security issues and vulnerabilities.
Advisory includes following:
-
Out-of-bounds read vulnerability in QSS (ID: QSA-21-23)
-
Inclusion of sensitive information in QSS (ID: QSA-21-24)
-
Improper access control vulnerability in Helpdesk (ID:QSA-21-25)
Out-of-bounds read vulnerability in QSS
Release date: June 11, 2021
Security ID: QSA-21-23
Severity: Low
CVE identifier: CVE-2021-28801
Affected products: Certain QNAP switches
Summary
An out-of-bounds read vulnerability has been reported to affect certain QNAP switches running QSS. If exploited, this vulnerability allows attackers to read sensitive information on the system.
The company have already fixed this vulnerability in following versions:
• QSW-M2108-2C: QSS 1.0.2 build 20210122 and later
• QSW-M2108-2S: QSS 1.0.2 build 20210122 and later
• QSW-M2108R-2C: QSS 1.0.2 build 20210122 and later.
Learn more
Inclusion of sensitive information in QSS
Release date: June 11, 2021
Security ID: QSA-21-24
Severity: High
CVE identifier: CVE-2021-28805
Affected products: Certain QNAP switches
Summary
Inclusion of sensitive information in the source code has been reported to affect certain QNAP switches running QSS. If exploited, this vulnerability allows attackers to read application data.
The company have already fixed this vulnerability in following versions:
• QSW-M2108-2C: QSS 1.0.3 build 20210505 and later
• QSW-M2108-2S: QSS 1.0.3 build 20210505 and later
• QSW-M2108R-2C: QSS 1.0.3 build 20210505 and later
• QSW-M408: QSS 1.0.12 build 20210506 and later
Learn more
Improper access control vulnerability in Helpdesk
Release date: June 11, 2021
Security ID: QSA-21-25
Severity: High
CVE identifier: CVE-2021-28814
Affected products: All QNAP NAS
Summary
An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software.
The company has already fixed this issue in Helpdesk 3.0.4 and later versions.