Qnap Security Resolved: Command Injection Vulnerability in Media Streaming Add-On

Qnap Systems, Inc. has published a security advisory concerning the resolved ‘Command Injection Vulnerability in Media Streaming Add-On’.

• Release date: October 22, 2021

• Security ID: QSA-21-44

• Severity: High

• CVE identifier: CVE-2021-34362

• Affected products: Qnap NAS running the Media Streaming add-on

• Status: Resolved

Summary
A command injection vulnerability has been reported to affect Qnap NAS running the Media Streaming add-on. If exploited, this vulnerability allows remote attackers to run arbitrary commands.

The company have already fixed vulnerability in following versions of Media Streaming add-on:

• QTS 5.0.0: Media Streaming add-on 500.0.0.3 (2021/08/20) and later

• QTS 4.5.4: Media Streaming add-on 500.0.0.3 (2021/08/20) and later

• QTS 4.3.6: Media Streaming add-on 430.1.8.12 (2021/08/20) and later

• QTS 4.3.3: Media Streaming add-on 430.1.8.12 (2021/09/29) and later

• QuTS hero h5.0.0: Media Streaming add-on 500.0.0.3 (2021/08/20) and later

Recommendation
To fix the vulnerability, we recommend updating the Media Streaming add-on to the latest version.

Updating Media Streaming Add-On

1. Log on to QTS as administrator.

2. Open the App Center and then click.
   A search box appears.

3. Type ‘Media Streaming add-on’ and then press ENTER.
   The Media Streaming add-on appears in the search results.

4. Click Update.
   A confirmation message appears.
   Note: The Update button is not available if your Media Streaming add-on is already up to date.

5. Click OK.
   The application is updated.

Acknowledgements: Tony Martin, a security researcher

Revision History: V1.0 (October 22, 2021) – Published