Qnap Security Advisories on Resolved Vulnerabilies: QSA-24-14, QSA-24-15, QSA-24-16, QSA-24-17, QSA-24-18, QSA-24-20
Concerning QTS, QuTS hero,QuTScloud OSs, Media Streaming add-on, QuFirewall, and Squid
This is a Press Release edited by StorageNewsletter.com on April 29, 2024 at 2:01 pmQNAP Sytems, Inc. had published security enhancement vs. security vulnerabilities that could affect specific versions of QNAP products.
Use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes the following:
- Multiple Vulnerabilities in QTS, QuTS hero, and QuTScloud (PWN2OWN 2023) (ID: QSA-24-14)
- Vulnerability in Media Streaming Add-on (ID: QSA-24-15)
- Vulnerability in QTS, QuTS hero, and QuTScloud (ID: QSA-24-16)
- https://www.qnap.com/fr-fr/security-advisory/qsa-24-18
- Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-24-20)
Multiple vulnerabilities in QTS, QuTS hero, and QuTScloud (PWN2OWN 2023)
Security ID: QSA-24-14
Release date: April 25, 2024
CVE identifier: CVE-2023-51364 | CVE-2023-51365
Severity: High
Status: Resolved
Affected products: QTS 5.1.x, 4.5.x; QuTS hero h5.1.x, h4.5.x; QuTScloud c5.x
Summary
Multiple vulnerabilities have been reported to affect certain firm’s OSs versions:
-
CVE-2023-51364, CVE-2023-51365: If exploited, the path traversal vulnerabilities could allow users to read the contents of unexpected files and expose sensitive data via a network.
The company have already fixed the vulnerabilities in following versions:
Affected product |
Fixed version |
QTS 5.1.x |
QTS 5.1.4.2596 build 20231128 and later |
QTS 4.5.x |
QTS 4.5.4.2627 build 20231225 and later |
QuTS hero h5.1.x |
QuTS hero h5.1.3.2578 build 20231110 and later |
QuTS hero h4.5.x |
QuTS hero h4.5.4.2626 build 20231225 and later |
QuTScloud c5.x |
QuTScloud c5.1.5.2651 and later |
Vulnerability in Media Streaming Add-on
Security ID: QSA-24-15
Release date: April 25, 2024
CVE identifier: CVE-2023-47222
Severity: High
Status: Resolved
Affected products: Media Streaming add-on 500.1.x
Summary
An exposure of sensitive information vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow users to compromise the security of the system via a network.
The company have already fixed the vulnerability in following version:
Affected product |
Fixed version |
Media Streaming add-on 500.1.x |
Media Streaming add-on 500.1.1.5 (2024/01/22) and later |
Vulnerability in QTS, QuTS hero, and QuTScloud
Security ID: QSA-24-16
Release date: April 25, 2024
CVE identifier: CVE-2024-21905
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x, QuTScloud c5.x
Summary
An integer overflow or wraparound vulnerability has been reported to affect several QNAP OSs versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.
The company have already fixed the vulnerability in following versions:
Affected product |
Fixed version |
QTS 5.1.x |
QTS 5.1.3.2578 build 20231110 and later |
QuTS hero h5.1.x |
QuTS hero h5.1.3.2578 build 20231110 and later |
QuTScloud c5.x |
QuTScloud c5.1.5.2651 and later |
Multiple Vulnerabilities in QuFirewall
Security ID: QSA-24-17
Release date: April 25, 2024
CVE identifier: CVE-2023-41290 | CVE-2023-41291
Severity: Medium
Status: Resolved
Affected products: QuFirewall 2.4.x
Summary
Two path traversal vulnerabilities have been reported to affect QuFirewall. If exploited, the vulnerabilities could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network.
The company have already fixed the vulnerabilities in following version:
Affected product |
Fixed version |
QuFirewall 2.4.x |
QuFirewall 2.4.1 (2024/02/01) and later |
Vulnerabilities in Squid
Security ID: QSA-24-18
Release date: April 25, 2024
CVE identifier: CVE-2023-5824 | CVE-2023-46724 | CVE-2023-46846 | CVE-2023-46847
Severity: Medium
Status: Resolved
Affected products: Proxy Server 1.4.x
Summary
Multiple vulnerabilities have been reported in Squid, which affects the QNAP utility Proxy Server.
The company have already fixed the vulnerabilities in following version:
Affected product |
Fixed version |
Proxy Server 1.4.x |
Proxy Server 1.4.6 (2024/01/17) and later |
Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-24-20
Release date: April 25, 2024
CVE identifier: CVE-2023-50361 | CVE-2023-50362 | CVE-2023-50363 | CVE-2023-50364
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x
Summary
Multiple vulnerabilities have been reported to affect certain QNAP OSs versions.
-
CVE-2023-50361, CVE-2023-50362: If exploited, the buffer copy without checking size of input vulnerabilities could allow authenticated users to execute code via a network.
-
CVE-2023-50363: If exploited, the incorrect authorization vulnerability could allow authenticated users to bypass 2-step verification via a network.
-
CVE-2023-50364: If exploited, the buffer copy without checking size of input vulnerability could allow authenticated administrators to execute code via a network.
The company have already fixed the vulnerability in following versions:
Affected product |
Fixed version |
QTS 5.1.x |
QTS 5.1.6.2722 build 20240402 and later |
QuTS hero h5.1.x |
QuTS hero h5.1.6.2734 build 20240414 and later |