Qnap Product Security Incident Response Team Official Response Regarding Recent Security Report by WatchTowr Labs

QNAP Systems, Inc. is committed to maintaining the high security standards for its products.

The company have recently been informed of multiple vulnerabilities in the QTS NAS OS, as detailed in a report by WatchTowr Labs. The firm would like to address the findings and outline our actions to resolve these issues.

Addressing reported QTS vulnerabilities
QNAP appreciate the efforts of security researchers in identifying potential vulnerabilities in our products. The company have assigned CVE IDs to the confirmed vulnerabilities in the report. 4 of these vulnerabilities (CVE-2023-50361, CVE-2023-50362, CVE-2023-50363, CVE-2023-50364) were fixed in the QTS 5.1.6 / QuTS hero h5.1.6 update released in April 2024. The other confirmed vulnerabilities (CVE-2024-21902, CVE-2024-27127, CVE-2024-27128, CVE-2024-27129, CVE-2024-27130) have been fixed in today’s QTS 5.1.7 / QuTS hero h5.1.7 update (May 21, Taipei time).

Specifically:

CVE-2024-27131: The enhancement requires a change in the UI specs within the QuLog Center. It is not an actual vulnerability, but rather a design choice, and it only affects internal network scenarios. This modification will be addressed in QTS 5.2.0.
WT-2023-0050: This issue is still under review and has not been confirmed as a valid vulnerability. The firm is working closely with the researchers to clarify its status.
WT-2024-0004 and WT-2024-0005: These issues are also under review, and the NAS company in active discussions with the researchers to understand and resolve them.
WT-2024-0006: This issue has been assigned CVE ID and will be resolved in the upcoming release.

CVE-2024-27130 vulnerability
The CVE-2024-27130 vulnerability, which has been reported under WatchTowr ID WT-2023-0054, is caused by the unsafe use of the ‘strcpy’ function in the No_Support_ACL function, which is utilized by the get_file_size request in the share.cgi script. This script is used when sharing media with external users. To exploit this vulnerability, an attacker requires a valid ‘ssid’ parameter, which is generated when a NAS user shares a file from their QNAP device.

The firm want to reassure our users that all QTS 4.x and 5.x versions have Address Space Layout Randomization (ASLR) enabled. ASLR significantly increases the difficulty for an attacker to exploit this vulnerability. Therefore, the company have assessed its severity as Medium. Nonetheless, QNAP strongly recommend users update to QTS 5.1.7 / QuTS hero h5.1.7 as soon as it becomes available to ensure their systems are protected.

Commitment to security
Product Security Incident Response Team (PSIRT) has always been proactive in collaborating with security researchers to triage and remediate vulnerabilities. The company regret any coordination issues that may have occurred between the product release schedule and the disclosure of these vulnerabilities. It is taking steps to improve processes and coordination in the future to prevent such issues from arising again.

Moving forward, for vulnerabilities triaged as High or Critical severity, it commits to completing remediation and releasing fixes within 45 days. For Medium severity vulnerabilities, the company will complete remediation and release fixes within 90 days.

It apologizes for any inconvenience this may have caused and are committed to enhancing its security measures continuously. The firm’s goal is to work closely with researchers worldwide to ensure the highest quality of security for its products.

To secure your device, QNAP recommends regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to the company’s NAS model.

QNAP PSIRT Security Advisory: