Qnap Security Advisory: Bulletin ID: QSA-21-03, QSA-21-33, QSA-21-34, QSA-21-36, QSA-21-37
Concerning insufficient HTTP security headers and Stack buffer overflow vulnerabilities in QTS, QuTS hero, and QuTScloud, stack buffer overflow vulnerability in QUSBCam2, stack-based buffer overflow vulnerabilities in NVR storage expansion, and insufficiently protected credentials in QSW-M2116P-2T2S and QuNetSwitch
This is a Press Release edited by StorageNewsletter.com on September 13, 2021 at 1:30 pmQnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products. Use following information and solutions to correct the security issues and vulnerabilities.
Advisory includes following:
-
Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud (ID: QSA-21-03)
-
Stack Buffer Overflow Vulnerabilities in QTS, QuTS hero, and QuTScloud (ID: QSA-21-33)
-
Stack Buffer Overflow Vulnerability in QUSBCam2 (ID: QSA-21-34)
-
Stack-Based Buffer Overflow Vulnerabilities in NVR Storage Expansion (ID: QSA-21-36)
-
Insufficiently Protected Credentials in QSW-M2116P-2T2S and QuNetSwitch (ID: QSA-21-37)
Insufficient HTTP security headers in QTS, QuTS hero, and QuTScloud
Security ID: QSA-21-03
Release date: September 10, 2021
Severity: Medium
CVE identifier: CVE-2018-19957
Affected products: All QNAP NAS
Summary
A vulnerability involving insufficient HTTP security headers has been reported to affect firm’s NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks.
The company have already fixed this vulnerability in the following versions:
-
QTS 4.5.4.1715 build 20210630 and later
-
QuTS hero h4.5.4.1771 build 20210825 and later
-
QuTScloud c4.5.6.1755 build 20210809 and later
Stack buffer overflow vulnerabilities in QTS, QuTS hero, and QuTScloud
Security ID: QSA-21-33
Release date: September 10, 2021
Severity: High
CVE identifier: CVE-2021-28816 | CVE-2021-34343
Affected products: All QNAP NAS
Summary
Two stack buffer overflow vulnerabilities have been reported to affect the firm’s devices running QTS, QuTS hero, and QuTScloud. If exploited, these vulnerabilities allow attackers to execute arbitrary code.
The company have already fixed these vulnerabilities in following versions:
-
QTS 5.0.0.1716 build 20210701 and later
-
QTS 4.5.4.1715 build 20210630 and later
-
QTS 4.3.6.1750 build 20210730 and later
-
QTS 4.3.3.1693 build 20210624 and later
-
QuTS hero h4.5.4.1771 build 20210825 and later
-
QuTScloud c4.5.6.1755 and later
Stack buffer overflow vulnerability in QUSBCam2
Security ID: QSA-21-34
Release date: September 10, 2021
Severity: Critical
CVE identifier: CVE-2021-34344
Affected products: Certain QNAP NAS
Summary
A stack buffer overflow vulnerability has been reported to affect the firm’s NAS running QUSBCam2. If exploited, this vulnerability allows attackers to execute arbitrary code.
The company have already fixed this vulnerability in following versions of QUSBCam2:
-
QTS 4.5.4: QUSBCam2 1.1.4 (2021/07/30) and later
-
QTS 4.3.6: QUSBCam2 1.1.4 ( 2021/07/30 ) and later
-
QuTS hero h4.5.3: QUSBCam2 1.1.4 (2021/07/30) and later
Stack-based buffer overflow vulnerabilities in NVR Storage Expansion
Security ID: QSA-21-36
Release date: September 10, 2021
Severity: Critical
CVE identifier: CVE-2021-34345 | CVE-2021-34346
Affected products: QNAP NAS running NVR Storage Expansion
Summary
Two stack-based buffer overflow vulnerabilities have been reported to affect the firm’s NAS running NVR Storage Expansion. If exploited, these vulnerabilities allow attackers to execute arbitrary code.
The company have already fixed vulnerabilities in following versions:
-
NVR Storage Expansion 1.0.6 (2021/08/03) and later
Insufficiently protected credentials in QSW-M2116P-2T2S and QuNetSwitch
Security ID: QSA-21-37
Release date: September 10, 2021
Severity: High
CVE identifier: CVE-2021-28813
Affected products: QSW-M2116P-2T2S, QNAP switches running QuNetSwitch
Summary
A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.
The company have already fixed this vulnerability in following versions:
-
QSW-M2116P-2T2S 1.0.6 build 210713 and later
-
QGD-1600P: QuNetSwitch 1.0.6.1509 and later
-
QGD-1602P: QuNetSwitch 1.0.6.1509 and later
-
QGD-3014PT: QuNetSwitch 1.0.6.1519 and later
Questions regarding this issue: contact