Qnap Security Advisory QSA-24-31 Concerning Fixing Vulnerability in OpenSSH
Recommends keeping SSH service disabled by default or not exposing OpenSSH service Internet.
This is a Press Release edited by StorageNewsletter.com on July 17, 2024 at 2:18 pmQNAP Systems, Inc. had published a security advisory concerning OpenSSH.
Release date: July 2, 2024
CVE identifier: CVE-2024-6387
Not affected products: QTS 5.1.x, 4.5.x; QuTS hero h5.1.x, h4.5.x; QuTScloud c5.x
Affected products: QTS 5.2.0 RC, QuTS hero h5.2.0 RC
Severity:High
Status: Fixing
Summary
A remote code execution (RCE) vulnerability in OpenSSH has been reported to affect QTS 5.2.0 Release Candidate and QuTS hero h5.2.0 Release Candidate.
QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, and QuTScloud c5.x are not affected.
QNAP is actively investigating this issue and working on a solution. We will fix the issue in the official releases of QTS 5.2.0 and QuTS hero h5.2.0.
Recommendation
For users of QTS 5.2.0 RC and QuTS hero h5.2.0 RC, QNAP recommends keeping the SSH service disabled by default or not exposing the OpenSSH service to the internet.
If you really need to use the OpenSSH service, the company strongly recommend the following mitigations:
-
Go to Control Panel > Security > IP Access Protection, and enable SSH.
-
Avoid using port 22 (the default port number for SSH) before updating to the official releases of QTS or QuTS hero. Instead, configure SSH to use a different port number.
Revision History:
V1.0 (July 2, 2024) – Published