9621 Agnes Crossing, Lake Suzanneview, New Mexico Island 84604-9295.
Qnap releases numerous patches for its NAS software. This closes several leaks that independent researchers say are critical. So drop everything and update now is the message. Qnap
Qnap releases numerous patches for its NAS software. This closes several leaks that independent researchers say are critical. So drop everything and update now is the message.
Qnap releases a series of patches for QTS and QuTS hero. Both manufacturers’ NAS and storage server operating systems are vulnerable to attacks.
One zero-day stands out: CVE-2023-50358. Qnap describes this bug as not too serious and difficult to exploit. The manufacturer is satisfied with a CVSS score of 5.8. This analysis contradicts the findings of Unit 42 of security specialist Palo Alto, which describes the flaw as not being complex to exploit and having potentially critical impacts. Unit 42 calls it an “irresistible target for attackers.”
Palo Alto Unit 42 is not alone in this conclusion. The German BSI has also gotten involved. According to the authority responsible for digital security, the leak could cause major damage. The BSI recommends users to install patches promptly. It’s not entirely clear why Qnap presents the vulnerability differently. The flaw allows hackers to inject code that would normally be considered critical.
Unit42 notes that at least 289,665 vulnerable devices are currently online. A technical analysis of the vulnerability and possible misuse is now also online.
Additionally, the software appears to be vulnerable to another bug: CVE-2023-47218. This was discovered by Rapid7 and is also described by Qnap as not being too serious. Qnap and Rapid7 don’t seem to have worked together ideally responsible disclosurewith strange behavior from the NAS specialist who did not adhere to the agreements with the security company.
However, the whole drama is irrelevant to the heart of the matter. The crux of the matter is as follows: important Qnap software is vulnerable to misuse and independent authorities believe that there is a high chance that attackers will exploit this opportunity. Qnap has released patches, so it’s time to install.
For some reason, Qnap opts for a somewhat vague patch policy with different patches for different versions that fix the bugs in whole or in part. Upgrading to the latest version seems like the best idea to us.
| Software version | Serious | Partially patched version | Fully patched version |
| QTS 5.1.x | Medium | QTS 5.1.0.2444 Build 20230629 and later | QTS 5.1.5.2645 Build 20240116 and later |
| QTS 5.0.1 | Medium | QTS 5.0.1.2145 Build 20220903 and later | QTS 5.1.5.2645 Build 20240116 and later |
| QTS 5.0.0 | High | QTS 5.0.0.1986 Build 20220324 and later | QTS 5.1.5.2645 Build 20240116 and later |
| QTS 4.5.x, 4.4.x | High | QTS 4.5.4.2012 Build 20220419 and above | QTS 4.5.4.2627 Build 20231225 and later |
| QTS 4.3.6, 4.3.5 | High | QTS 4.3.6.2665 Build 20240131 and later | QTS 4.3.6.2665 Build 20240131 and later |
| QTS 4.3.4 | High | QTS 4.3.4.2675 Build 20240131 and later | QTS 4.3.4.2675 Build 20240131 and later |
| QTS 4.3.x | High | QTS 4.3.3.2644 Build 20240131 and later | QTS 4.3.3.2644 Build 20240131 and later |
| QTS 4.2.x | High | QTS 4.2.6 Build 20240131 and later | QTS 4.2.6 Build 20240131 and later |
| QuTS hero h5.1.x | Medium | QuTS hero h5.1.0.2466 Build 20230721 and above | QuTS hero h5.1.5.2647 Build 20240118 and above |
| QuTS Hero h5.0.1 | Medium | QuTS hero h5.0.1.2192 Build 20221020 and above | QuTS hero h5.1.5.2647 Build 20240118 and above |
| QuTS Hero h5.0.0 | High | QuTS hero h5.0.0.1986 Build 20220324 and above | QuTS hero h5.1.5.2647 Build 20240118 and above |
| QuTS hero h4.x | High | QuTS hero h4.5.4.1991 Build 20220330 and above | QuTS hero h4.5.4.2626 Build 20231225 and above |
| QuTScloud c5.x | High | QuTScloud c5.1.5.2651 and above | QuTScloud c5.1.5.2651 and above |
Criminals regularly target flaws in the Qnap software, and there is no reason to believe the risk is lower this time. If Palo Alto and the BSI are right, it won’t be long before hackers target the flaws. Therefore the updates can have priority.
Source: IT Daily
As an experienced journalist and author, Mary has been reporting on the latest news and trends for over 5 years. With a passion for uncovering the stories behind the headlines, Mary has earned a reputation as a trusted voice in the world of journalism. Her writing style is insightful, engaging and thought-provoking, as she takes a deep dive into the most pressing issues of our time.
