Qnap Security Advisory QSA-23-57 for Resolved Security Vulnerabilities

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of Qnap products.

Use the following information and solutions to correct the security issues and vulnerabilities.

Multiple vulnerabilities in QTS, QuTS hero and QuTScloud
Security ID: QSA-23-57
Release date: February 13, 2024
CVE identifier: CVE-2023-47218 | CVE-2023-50358
Severity: Medium
Status: Resolved
Affected products: QTS 5.x, 4.x; QuTS hero h5.x, h4.x, QuTScloud 5.x

Summary
Multiple vulnerabilities have been reported to affect several Qnap OSs versions. If exploited, the OS command injection vulnerabilities could allow users to execute commands via a network.

The company have already fixed the vulnerabilities in the following versions.

To fully fix the vulnerabilities, user must install one of the fully fixed versions.

If you do not want to install a fully fixed version for your device, you can still mitigate the vulnerabilities by installing a partially fixed version. However, note that the vulnerabilities still exist during the installation process of a partially fixed version. The vulnerabilities only disappear after installation is complete.

Recommendation
To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

Mitigation
If you do not want to update your OS to the latest version, you can perform the following actions to mitigate the vulnerabilities.

1. Test following URL in your browser:
        https://<NAS IP address>:<NAS system port>/cgi-bin/quick/quick.cgi
    
   • If you get the following response (HTTP 404 error), your system is not vulnerable:
          ‘Page not found or the web server is currently unavailable. Please contact the website administrator for help.’
   • If you get an empty page (HTTP 200), continue to the next step.
     

2. Update your OS to one of following versions or later:

   • QTS 5.1.0.2444 build 20230629 and later
   • QTS 5.0.1.2145 build 20220903 and later
   • QTS 5.0.0.1986 build 20220324 and later
   • QTS 4.5.4.2012 build 20220419 and later
   • QTS 4.3.6.2665 build 20240131 and later
   • QTS 4.3.4.2675 build 20240131 and later
   • QTS 4.3.3.2644 build 20240131 and later
   • QTS 4.2.6 build 20240131 and later
   • QuTS hero h5.1.0.2466 build 20230721 and later
   • QuTS hero h5.0.1.2192 build 20221020 and later
   • QuTS hero h5.0.0.1986 build 20220324 and later
   • QuTS hero h4.5.4.1991 build 20220330 and later   

3. Test the above URL again in your browser.

   • If you get the following response (HTTP 404 error), your system is now free from the vulnerabilities:
          ‘Page not found or the web server is currently unavailable. Please contact the website administrator for help.’
   • If you get an empty page (HTTP 200), please update firmware immediately.

Updating QTS, QuTS hero, or QuTScloud

1. Log in to QTS, QuTS hero, or QuTScloud as an administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   The system downloads and installs the latest available update.

Tip: You can also download the update from the Qnap website. Go to Support > Download Center and then perform a manual update for your specific device.

Attachment

• CVE-2023-47218.json
• CVE-2023-50358.json

Acknowledgements:
Stephen Fewer, principal security researcher, Rapid7
Palo Alto Networks Unit 42

Revision history:
V1.0 (February 13, 2024) – Published

Questions regarding this issue