What are you looking for ?
Advertise with us
RAIDON

Qnap Security Advisories on 8 Resolved Vulnerabilities

Concerning Notes Station 3, OpenSSH, Photo Station, Qnap AI Core, QTS and QuTS hero NAS OSs, QuRouter, QuLog Center, and Media Streaming Add-on

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of Qnap products.

Use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes the following:

 

Multiple Vulnerabilities in Notes Station 3

Security ID: QSA-24-36
Release date: November 23, 2024
CVE identifier: CVE-2024-38643 | CVE-2024-38644 | CVE-2024-38645 | CVE-2024-38646
Severity: Important
Status: Resolved
Affected products: Notes Station 3 version 3.9.x

Summary
Multiple vulnerabilities have been reported to affect Notes Station 3:

  • CVE-2024-38643: If exploited, the missing authentication for critical function vulnerability could allow remote attackers to gain access to the system.
  • CVE-2024-38644: If exploited, the command injection vulnerability could allow remote attackers who have gained user access to execute arbitrary commands.
  • CVE-2024-38645: If exploited, the server-side request forgery (SSRF) vulnerability could allow remote attackers who have gained user access to read application data.
  • CVE-2024-38646: If exploited, the incorrect permission assignment for critical resource vulnerability could allow local attackers who have gained administrator access to gain unauthorized access to data.

The company have already fixed the vulnerabilities in the following version:

Affected product Fixed version
Notes Station 3 version 3.9.x Notes Station 3 version 3.9.7 and later

Information link

 

Multiple Vulnerabilities in OpenSSH

Security ID
: QSA-24-37
Release date: November 23, 2024
CVE identifier: CVE-2023-38408 | CVE-2021-41617 | CVE-2020-14145
Severity: Moderate
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x

Summary
Multiple vulnerabilities have been reported in OpenSSH. The vulnerabilities have been found to affect certain Qnap OS versions.

The company have already fixed the vulnerabilities in the following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.8.2823 build 20240712 and later

QuTS hero h5.1.x

QuTS hero h5.1.8.2823 build 20240712 and later

Information link

 

Multiple Vulnerabilities in Photo Station

Security ID
: QSA-24-39
Release date: November 23, 2024
CVE identifier: CVE-2024-32767 | CVE-2024-32768 | CVE-2024-32769 | CVE-2024-32770
Severity: Moderate
Status: Resolved
Affected products: Photo Station 6.4.x

Summary
Multiple vulnerabilities have been reported to affect Photo Station:

  • CVE-2024-32767, CVE-2024-32768, CVE-2024-32769, CVE-2024-32770: If exploited, the cross-site scripting (XSS) vulnerabilities could allow remote attackers who have gained user access to bypass security mechanisms or read application data.

The company have already fixed the vulnerabilities in the following version:

Affected product

Fixed version

Photo Station 6.4.x

Photo Station 6.4.3 (2024/07/12) and later

Information link

 

Vulnerability in Qnap AI Core

Security ID: QSA-24-40
Release date: November 23, 2024
CVE identifier: CVE-2024-38647
Severity: Important
Status: Resolved
Affected products: Qnap AI Core 3.4.x

Summary
An exposure of sensitive information vulnerability has been reported to affect Qnap AI Core. If exploited, the vulnerability could allow remote attackers to compromise the security of the system.

The company have already fixed the vulnerability in the following version:

Affected product

Fixed version

Qnap AI Core 3.4.x

Qnap AI Core 3.4.1 and later

Information link

 

Multiple Vulnerabilities in QTS and QuTS hero

Security ID: QSA-24-43
Release date: November 23, 2024
CVE identifier: CVE-2024-37041 | CVE-2024-37042 | CVE-2024-37043 | CVE-2024-37044 | CVE-2024-37045 | CVE-2024-37046 | CVE-2024-37047 | CVE-2024-37048 | CVE-2024-37049 | CVE-2024-37050 | CVE-2024-50396 | CVE-2024-50397 | CVE-2024-50398 | CVE-2024-50399 | CVE-2024-50400
Severity: Important
Status: Resolved
Affected products: QTS 5.2.x, QuTS hero h5.2.x

Summary
Multiple vulnerabilities have been reported to affect certain Qnap
OS versions:

  • CVE-2024-37041, CVE-2024-37044, CVE-2024-37047, CVE-2024-37049, CVE-2024-37050: If exploited, the buffer overflow vulnerabilities could allow remote attackers who have gained administrator access to modify memory or crash processes.
  • CVE-2024-37042, CVE-2024-37045, CVE-2024-37048: If exploited, the NULL pointer dereference vulnerabilities could allow remote attackers who have gained administrator access to launch a denial-of-service (DoS) attack.
  • CVE-2024-37043, CVE-2024-37046: If exploited, the path traversal vulnerabilities could allow remote attackers who have gained administrator access to read the contents of unexpected files or system data.
  • CVE-2024-50396, CVE-2024-50397, CVE-2024-50398, CVE-2024-50399, CVE-2024-50400, CVE-2024-50401: If exploited, the use of externally-controlled format string vulnerabilities could allow remote attackers to obtain secret data or modify memory.

The company have already fixed the vulnerabilities in the following versions:

Affected product

Fixed version

QTS 5.2.x

QTS 5.2.1.2930 build 20241025 and later

QuTS hero h5.2.x

QuTS hero h5.2.1.2929 build 20241025 and later

Information link

 

Multiple Vulnerabilities in QuRouter

Security ID: QSA-24-44
Release date: November 23, 2024
CVE identifier: CVE-2024-48860 | CVE-2024-48861
Severity: Important
Status: Resolved
Affected products: QuRouter 2.4.x

Summary
Multiple vulnerabilities have been reported to affect QuRouter:

  • CVE-2024-48860, CVE-2024-48861: If exploited, the command injection vulnerabilities could allow remote attackers to execute arbitrary commands.

The company have already fixed the vulnerabilities in the following version:

Affected product

Fixed version

QuRouter 2.4.x

QuRouter 2.4.3.106 and later

Information link

 

Vulnerability in QuLog Center

Security ID: QSA-24-46
Release date: November 23, 2024
CVE identifier: CVE-2024-48862
Severity: Important
Status: Resolved
Affected products: QuLog Center 1.7.x and 1.8.x

Summary
A link following vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow remote attackers to traverse the file system to unintended locations.

The company have already fixed the vulnerability in the following versions:

Affected product

Fixed version

QuLog Center 1.7.x

QuLog Center 1.7.0.831 (2024/10/15) and later

QuLog Center 1.8.x

QuLog Center 1.8.0.888 (2024/10/15) and later

Information link

 

Vulnerability in Media Streaming Add-on

Security ID: QSA-24-47
Release date: November 23, 2024
CVE identifier: CVE-2024-50395
Severity: Moderate
Status: Resolved
Affected products: Media Streaming Add-on 500.1.x

Summary
An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow attackers with local network access to gain unintended privileges.

The company have already fixed the vulnerability in the following version:

Affected product

Fixed version

Media Streaming Add-on 500.1.x

Media Streaming Add-on 500.1.1.6 (2024/08/02) and later

Information link

Questions regarding this issue, contact the company.

Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E