Qnap Security Advisory Bulletin ID: QSA-24-48, QSA-24-49, QSA-24-50
Concerning resolved vulnerabilities in Qsync Central, QTS and QuTS hero NAS OSs, and License Center
This is a Press Release edited by StorageNewsletter.com on December 9, 2024 at 2:00 pmQnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of Qnap products.
Use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes following:
- Vulnerability in Qsync Central (ID: QSA-24-48)
- Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2024) (ID: QSA-24-49)
- Vulnerability in License Center (ID: QSA-24-50)
Vulnerability in Qsync Central
Security ID: QSA-24-48
Release date: December 7, 2024
CVE identifier: CVE-2024-50404
Severity: Moderate
Status: Resolved
Affected products: Qsync Central 4.4.x
Summary
A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.
The company have already fixed the vulnerability in following version:
|
Affected Product |
Fixed Version |
|
Qsync Central 4.4.x |
Qsync Central 4.4.0.16_20240819 (2024/08/19) and later |
Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2024)
Security ID: QSA-24-49
Release date: December 7, 2024
CVE identifier: CVE-2024-48859 | CVE-2024-48865 | CVE-2024-48866 | CVE-2024-48867 | CVE-2024-48868 | CVE-2024-50393 | CVE-2024-50402 | CVE-2024-50403
Severity: Important
Status: Resolved
Affected products: QTS 5.1.x, 5.2.x; QuTS hero h5.1.x, h5.2.x
Summary:
Multiple vulnerabilities have been reported to affect certain Qnap NAS OSs versions:
- CVE-2024-48859: If exploited, the improper authentication vulnerability could allow remote attackers to compromise the security of the system.
- CVE-2024-48865: If exploited, the improper certificate validation vulnerability could allow attackers with local network access to compromise the security of the system.
- CVE-2024-48866: If exploited, the improper handling of URL encoding (hex encoding) vulnerability could allow remote attackers to cause the system to go into an unexpected state.
- CVE-2024-48867, CVE-2024-48868: If exploited, the improper neutralization of CRLF sequences (‘CRLF injection’) vulnerabilities could allow remote attackers to modify application data.
- CVE-2024-50393: If exploited, the command injection vulnerability could allow remote attackers to execute arbitrary commands.
- CVE-2024-50402, CVE-2024-50403: If exploited, the use of externally-controlled format string vulnerabilities could allow remote attackers who have gained administrator access to obtain secret data or modify memory.
The company have already fixed the vulnerabilities in following versions:
|
Affected Product |
Fixed Version |
|
QTS 5.1.x |
QTS 5.1.9.2954 build 20241120 and later |
|
QTS 5.2.x |
QTS 5.2.2.2950 build 20241114 and later |
|
QuTS hero h5.1.x |
QuTS hero h5.1.9.2954 build 20241120 and later |
|
QuTS hero h5.2.x |
QuTS hero h5.2.2.2952 build 20241116 and later |
Vulnerability in License Center
Security ID: QSA-24-50
Release date: December 7, 2024
CVE identifier: CVE-2024-48863
Severity: Important
Status: Resolved
Affected products: License Center 1.9.x
Summary
A command injection vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands.
The company have already fixed the vulnerability in following version:
|
Affected Product |
Fixed Version |
|
License Center 1.9.x |
License Center 1.9.43 and later |
informations Questions regarding this issue
Subscribe to our free daily newsletter
