Qnap releases a lot of patches for its NAS software. This will close several leaks that are critical according to independent researchers. So I drop everything, and the update is now the message.
Qnap is releasing a bunch of patches for QTS and QuTS Hero. Manufacturer's NAS and storage server operating systems are vulnerable to exploitation.
Not dangerous or irresistible?
One notable zero day: CVE-2023-50358. Qnap describes this bug as not very serious and difficult to exploit. The manufacturer is satisfied with one CVSS score 5.8. This analysis contradicts the findings of Palo Alto security specialist Unit 42, which describes the vulnerability as not complex to exploit with a potentially serious impact. Unit 42 describes it as “an irresistible target for attackers.”
Palo Alto Unit 42 is not alone in this conclusion. also German BSI He has now participated. According to the agency responsible for digital security, the leak could cause serious damage. BSI recommends users install patches immediately. It's not entirely clear why Qnap chose to present the vulnerability in a different way. This bug allows hackers to inject code, which is usually considered critical.
Unit42 notes that there are currently at least 289,665 vulnerable devices online. A technical analysis of the vulnerability and potential misuse is now also available online.
Furthermore, the software appears to be vulnerable to another flaw: CVE-2023-47218. This was discovered by Rapid7 and Qnap also described it as not very dangerous. Qnap and Rapid7 don't seem to work perfectly together Responsible disclosureWith a strange behavior from the NAS specialist who did not adhere to the agreements concluded with the security company.
However, all that drama has nothing to do with the heart of the matter. The crux of the matter is as follows: Qnap's critical software is vulnerable to misuse, and independent authorities believe there is a good chance that attackers will seize this opportunity. Qnap has released patches, so installation is the message.
Lots of stains
For some reason, Qnap opts for a somewhat ambiguous patching policy, with different patches for different versions that fully or partially fix bugs. Upgrading to the latest version seems to be the best idea for us.
Software version | Ernest | Partially corrected version | Fully corrected version |
QTS 5.1.x | Mediation | QTS 5.1.0.2444 version 20230629 and later | QTS 5.1.5.2645 version 20240116 and later |
QTS 5.0.1 | Mediation | QTS 5.0.1.2145 version 20220903 and later | QTS 5.1.5.2645 version 20240116 and later |
QTS 5.0.0 | high | QTS 5.0.0.1986 version 20220324 and later | QTS 5.1.5.2645 version 20240116 and later |
QTS 4.5.x, 4.4.x | high | QTS 4.5.4.2012 version 20220419 and later | QTS 4.5.4.2627 version 20231225 and later |
QTS 4.3.6, 4.3.5 | high | QTS 4.3.6.2665 version 20240131 and later | QTS 4.3.6.2665 version 20240131 and later |
QTS 4.3.4 | high | QTS 4.3.4.2675 version 20240131 and later | QTS 4.3.4.2675 version 20240131 and later |
QTS 4.3.x | high | QTS 4.3.3.2644 version 20240131 and later | QTS 4.3.3.2644 version 20240131 and later |
QTS 4.2.x | high | QTS 4.2.6 version 20240131 and later | QTS 4.2.6 version 20240131 and later |
QTS Hero h5.1.x | Mediation | QuTS Hero h5.1.0.2466 version 20230721 and later | QuTS Hero h5.1.5.2647 version 20240118 and later |
QTS Hero h5.0.1 | Mediation | QuTS Hero h5.0.1.2192 version 20221020 and later | QuTS Hero h5.1.5.2647 version 20240118 and later |
QTS Hero h5.0.0 | high | QuTS Hero h5.0.0.1986 version 20220324 and later | QuTS Hero h5.1.5.2647 version 20240118 and later |
QTS Hero h4.x | high | QuTS Hero h4.5.4.1991 version 20220330 and later | QuTS Champion h4.5.4.2626 version 20231225 and later |
CutsCloud c5.x | high | QuTScloud c5.1.5.2651 and later | QuTScloud c5.1.5.2651 and later |
Criminals regularly target bugs in Qnap software, and there's no reason to believe the risk is any lower this time around. If Palo Alto and the British Bureau of Standards are right, it won't be long before hackers target the bugs. So updates can be a priority.
“Lifelong entrepreneur. Total writer. Internet ninja. Analyst. Friendly music enthusiast.”
More Stories
Monster Jam Showdown Launch Trailer
The European Digital Twin Ocean prototype reveals many possibilities
Instagram now lets you add a song to your account