Qnap Security Advisory: Security Vulnerabilities of QTS and QuTS hero NAS OS and NAS Apps

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.

Use the following information and solutions to correct the security issues and vulnerabilities.
Bulletin ID: QSA-20-12 ~ QSA-20-16

This advisory includes following:

• Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-20-12)

• Cross-site Scripting Vulnerability in Music Station (ID: QSA-20-13)

• Cross-site Scripting Vulnerability in Multimedia Console (ID: QSA-20-14)

• Cross-site Scripting Vulnerability in Photo Station (ID: QSA-20-15)

• Command Injection Vulnerability in QTS and QuTS hero (ID: QSA-20-16)

Multiple vulnerabilities in QTS and QuTS hero
Security ID: QSA-20-12
Release date: December 7, 2020
Severity: High
CVE identifier: CVE-2020-2495 | CVE-2020-2496 | CVE-2020-2497 | CVE-2020-2498
Affected products: All company’s NAS

Summary
Four vulnerabilities have been reported to affect earlier versions of QTS and QuTS hero.

• CVE-2020-2495: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station.
• CVE-2020-2496: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station.
• CVE-2020-2497: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in System Connection Logs.
• CVE-2020-2498: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in certificate configuration.

The company have already fixed vulnerabilities in following versions of QTS and QuTS hero.

• QuTS hero h4.5.1.1472 build 20201031 and later
• QTS 4.5.1.1456 build 20201015 and later
• QTS 4.4.3.1354 build 20200702 and later
• QTS 4.3.6.1333 build 20200608 and later
• QTS 4.3.4.1368 build 20200703 and later
• QTS 4.3.3.1315 build 20200611 and later
• QTS 4.2.6 build 20200611 and later

Information: Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-20-12)

Cross-site scripting vulnerability in Music Station
Security ID: QSA-20-13
Release date: December 7, 2020
Severity: Medium
CVE identifier: CVE-2020-2494
Affected products: Company’s NAS running Music Station

Summary
This cross-site scripting vulnerability in Music Station allows remote attackers to inject malicious code.

The company have already fixed this vulnerability in following versions of Music Station.

• QuTS hero h4.5.1: Music Station 5.3.13 and later
• QTS 4.5.1: Music Station 5.3.12 and later
• QTS 4.4.3: Music Station 5.3.12 and later

Information:Cross-site Scripting Vulnerability in Music Station (ID: QSA-20-13)

Cross-site scripting vulnerability in Multimedia Console
Security ID: QSA-20-14
Release date: December 7, 2020
Severity: High
CVE identifier: CVE-2020-2493
Affected products: Company’s NAS running Multimedia Console

Summary
This cross-site scripting vulnerability in Multimedia Console allows remote attackers to inject malicious code.

The company have already fixed this vulnerability in Multimedia Console 1.1.5 and later.

Information: Cross-site Scripting Vulnerability in Multimedia Console (ID: QSA-20-14)

Cross-site scripting vulnerability in Photo Station
Security ID: QSA-20-15
Release date: December 7, 2020
Severity: High
CVE identifier: CVE-2020-2491
Affected products: Company’s NAS running Photo Station

Summary
This cross-site scripting vulnerability in Photo Station allows remote attackers to inject malicious code.

The company have already fixed this vulnerability in following versions of Photo Station.

• QTS 4.5.1: Photo Station 6.0.12 and later

• QTS 4.4.3: Photo Station 6.0.12 and later

• QTS 4.3.6: Photo Station 5.7.12 and later

• QTS 4.3.4: Photo Station 5.7.13 and later

• QTS 4.3.3: Photo Station 5.4.10 and later

• QTS 4.2.6: Photo Station 5.2.11 and later

Information: Cross-site Scripting Vulnerability in Photo Station (ID: QSA-20-15)

Command injection vulnerability in QTS and QuTS hero
Security ID: QSA-20-16
Release date: December 7, 2020
Severity: Medium
CVE identifier: CVE-2019-7198
Affected products: All company’s NAS

Summary
This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application.

The company have already fixed this vulnerability in following versions of QTS and QuTS hero.

• QuTS hero h4.5.1.1472 build 20201031 and later

• QTS 4.5.1.1456 build 20201015 and later

• QTS 4.4.3.1354 build 20200702 and later

Information: Command Injection Vulnerability in QTS and QuTS hero (ID: QSA-20-16)

Questions regarding this issue