Qnap Security Advisory Bulletin ID: QSA-21-09, QSA-21-29 ~ QSA-21-32
Concerning DNSpooq vulnerabilities, multiple command injection vulnerabilities in QTS and QuTS hero, stored XSS vulnerability in QuLog Center, stored XSS vulnerability in Q'center, and XSS vulnerability in QTS and QuTS hero
This is a Press Release edited by StorageNewsletter.com on July 7, 2021 at 2:31 pmQNAP Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.
Use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes following:
DNSpooq vulnerabilities in QTS
Security ID: QSA-21-09
Release date: July 1, 2021
Severity: Medium
CVE identifier: CVE-2020-25684 | CVE-2020-25685 | CVE-2020-25686
Affected products: Certain QNAP NAS
Summary
DNSpooq vulnerabilities—including DNS cache poisoning and buffer overflow vulnerabilities—have been reported to affect certain versions of QTS. If exploited, these vulnerabilities allow attackers to perform remote code execution.
The company has already fixed these vulnerabilities in the following versions:
-
QTS 4.5.3.1652 build 20210428 and later
-
QuTS hero h4.5.3.1670 build 20210515 and later
-
QuTScloud c4.5.5.1656 build 20210503 and later
Multiple command injection vulnerabilities in QTS and QuTS hero
Security ID: QSA-21-29
Release date: July 1, 2021
Severity: Medium
CVE identifier: CVE-2021-28802 | CVE-2021-28804
Affected products: Certain QNAP NAS
Summary
Multiple command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application.
The company have already fixed this vulnerability in the following versions:
-
QTS 4.5.1.1540 build 20210107 and later
-
QuTS hero h4.5.1.1582 build 20210217 and later
Stored XSS vulnerability in QuLog Center
Security ID: QSA-21-30
Release date: July 1, 2021
Severity: Medium
CVE identifier: CVE-2020-36196
Affected products: QNAP NAS running QuLog Center
Summary
A stored XSS vulnerability has been reported to affect QNAP NAS running QuLog Center. If exploited, this vulnerability allows attackers to inject malicious code.
The company have already fixed this vulnerability in the following versions:
-
QuLog Center 1.2.0 and later
Stored XSS vulnerability in Q’center
Security ID: QSA-21-31
Release date: July 1, 2021
Severity: Medium
CVE identifier: CVE-2021-28803
Affected products: QNAP NAS running Q’center
Summary
A stored XSS vulnerability has been reported to affect QNAP NAS running Q’center. If exploited, this vulnerability allows attackers to inject malicious code.
The company have already fixed this vulnerability in the following versions:
-
Q’center 1.11.1004 and later
XSS vulnerability in QTS and QuTS hero
Security ID: QSA-21-32
Release date: July 1, 2021
Severity: Medium
CVE identifier: CVE-2020-36194
Affected products: Certain QNAP NAS
Summary
An XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code.
The company have already fixed this vulnerability in the following versions:
-
QTS 4.5.2.1566 Build 20210202 and later
-
QuTS hero h4.5.2.1638 build 20210414 and later
QNAP NAS running QTS 4.5.3 and later are not affected.
Questions regarding this issue: contact