QNAP warns about critical vulnerabilities in NAS systems

QNAP has published a security advisory about two critical vulnerabilities that could allow remote attackers to execute commands via a network.

One of the vulnerabilities affects the QTS and QuTS operating systems (OS) for QNAP’s network attached storage systems (NAS). The second one can be found in versions of QTS, the Multimedia Console, and the Media Streaming add-on.

CVE-2023-23368

The first vulnerability, CVE-2023-23368 (CVSS score 9.8 out of 10), is an OS command injection vulnerability.

OS command injection (also known as shell injection) is a security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the device that is running an application, and typically fully compromise the application and all its data.

A fix is available for the vulnerability in the following versions:

  • QTS 5.0.1.2376 build 20230421 and later
  • QTS 4.5.4.2374 build 20230416 and later
  • QuTS hero h5.0.1.2376 build 20230421 and later
  • QuTS hero h4.5.4.2374 build 20230417 and later
  • QuTScloud c5.0.1.2374 and later

To update QTS, QuTS hero, or QuTScloud you can:

  • Log in to QTS, QuTS hero, or QuTScloud as an administrator.
  • Go to Control Panel > System > Firmware Update.
  • Under Live Update, click Check for Update.
  • The system will download and install the latest available update.

If that doesn’t work for you, you can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

CVE-2023-23369

The second vulnerability, CVE-2023-23369 (CVSS score 9 out of 10), is also an OS command injection vulnerability that reportedly affects several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.

A fix for the vulnerability is available for the following versions:

  • Multimedia Console 2.1.2 ( 2023/05/04 ) and later
  • Multimedia Console 1.4.8 ( 2023/05/05 ) and later
  • QTS 5.1.0.2399 build 20230515 and later
  • QTS 4.3.6.2441 build 20230621 and later
  • QTS 4.3.4.2451 build 20230621 and later
  • QTS 4.3.3.2420 build 20230621 and later
  • QTS 4.2.6 build 20230621 and later
  • Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later
  • Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later

To update the Multimedia Console:

  • Log on to QTS as an administrator.
  • Open the App Center and then click the search symbol (looking glass).
  • Type “Multimedia Console” into the search box and then press Enter.
  • Multimedia Console will appear in the search results.
  • Click Update. (Note: The Update button is not available if your version is already up to date.)
  • A confirmation message appears.
  • Click OK.

To update the Media Streaming add-on:

  • Log on to QTS as an administrator.
  • Open the App Center and then click the search symbol (looking glass).
  • Type “Media Streaming add-on” into the search box and then press Enter.
  • Media Streaming add-on will appears in the search results.
  • Click Update. (Note: The Update button is not available if your version is already up to date.)
  • A confirmation message appears.
  • Click OK.

Extra tip: while you are logged in as an administrator consider whether your password is strong enough. On October 19, 2023 QNAP reported a significant wave of weak password attacks. NAS owners are one of the most common targets of ransomware attacks against consumers.


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

https://blog.malwarebytes.com/feed/

Leave a Reply