What are you looking for ?
Advertise with us
Advertise with us

Qnap Security Advisories on Resolved Vulnerabilies: QSA-24-14, QSA-24-15, QSA-24-16, QSA-24-17, QSA-24-18, QSA-24-20

Concerning QTS, QuTS hero,QuTScloud OSs, Media Streaming add-on, QuFirewall, and Squid

QNAP Sytems, Inc. had published security enhancement vs. security vulnerabilities that could affect specific versions of QNAP products.

Use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes the following:

Multiple vulnerabilities in QTS, QuTS hero, and QuTScloud (PWN2OWN 2023)

Security ID: QSA-24-14
Release date: April 25, 2024
CVE identifier: CVE-2023-51364 | CVE-2023-51365
Severity: High
Status: Resolved
Affected products: QTS 5.1.x, 4.5.x; QuTS hero h5.1.x, h4.5.x; QuTScloud c5.x

Summary
Multiple vulnerabilities have been reported to affect certain firm’s OSs versions:

  • CVE-2023-51364, CVE-2023-51365: If exploited, the path traversal vulnerabilities could allow users to read the contents of unexpected files and expose sensitive data via a network.

The company have already fixed the vulnerabilities in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.4.2596 build 20231128 and later

QTS 4.5.x

QTS 4.5.4.2627 build 20231225 and later

QuTS hero h5.1.x

QuTS hero h5.1.3.2578 build 20231110 and later

QuTS hero h4.5.x

QuTS hero h4.5.4.2626 build 20231225 and later

QuTScloud c5.x

QuTScloud c5.1.5.2651 and later

More information

Vulnerability in Media Streaming Add-on

Security ID: QSA-24-15
Release date: April 25, 2024
CVE identifier: CVE-2023-47222
Severity: High
Status: Resolved
Affected products: Media Streaming add-on 500.1.x

Summary
An exposure of sensitive information vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow users to compromise the security of the system via a network.

The company have already fixed the vulnerability in following version:

Affected product

Fixed version

Media Streaming add-on 500.1.x

Media Streaming add-on 500.1.1.5 (2024/01/22) and later

More information

 

Vulnerability in QTS, QuTS hero, and QuTScloud

Security ID: QSA-24-16
Release date: April 25, 2024
CVE identifier: CVE-2024-21905
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x, QuTScloud c5.x

Summary
An integer overflow or wraparound vulnerability has been reported to affect several QNAP OSs versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.

The company have already fixed the vulnerability in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.3.2578 build 20231110 and later

QuTS hero h5.1.x

QuTS hero h5.1.3.2578 build 20231110 and later

QuTScloud c5.x

QuTScloud c5.1.5.2651 and later

More information

 

Multiple Vulnerabilities in QuFirewall

Security ID: QSA-24-17
Release date: April 25, 2024
CVE identifier: CVE-2023-41290 | CVE-2023-41291
Severity: Medium
Status: Resolved
Affected products: QuFirewall 2.4.x

Summary
Two path traversal vulnerabilities have been reported to affect QuFirewall. If exploited, the vulnerabilities could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network.

The company have already fixed the vulnerabilities in following version:

Affected product

Fixed version

QuFirewall 2.4.x

QuFirewall 2.4.1 (2024/02/01) and later

More information

 

Vulnerabilities in Squid

Security ID: QSA-24-18
Release date: April 25, 2024
CVE identifier: CVE-2023-5824 | CVE-2023-46724 | CVE-2023-46846 | CVE-2023-46847
Severity: Medium
Status: Resolved
Affected products: Proxy Server 1.4.x

Summary
Multiple vulnerabilities have been reported in Squid, which affects the QNAP utility Proxy Server.

The company have already fixed the vulnerabilities in following version:

Affected product

Fixed version

Proxy Server 1.4.x

Proxy Server 1.4.6 (2024/01/17) and later

More information

 

Multiple Vulnerabilities in QTS and QuTS hero

Security ID: QSA-24-20
Release date: April 25, 2024
CVE identifier: CVE-2023-50361 | CVE-2023-50362 | CVE-2023-50363 | CVE-2023-50364
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x

Summary
Multiple vulnerabilities have been reported to affect certain QNAP
OSs versions.

  • CVE-2023-50361, CVE-2023-50362: If exploited, the buffer copy without checking size of input vulnerabilities could allow authenticated users to execute code via a network.

  • CVE-2023-50363: If exploited, the incorrect authorization vulnerability could allow authenticated users to bypass 2-step verification via a network.

  • CVE-2023-50364: If exploited, the buffer copy without checking size of input vulnerability could allow authenticated administrators to execute code via a network.

The company have already fixed the vulnerability in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.6.2722 build 20240402 and later

QuTS hero h5.1.x

QuTS hero h5.1.6.2734 build 20240414 and later

More information

Questions regarding this issue contact

Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E