www.belgium.be Logo of the federal government

Warning: 2 critical command injection vulnerabilities impact multiple versions of the QNAP QTS operating system and applications on its network-attached storage (NAS) devices. Patch Immediately!

Referentie: 
Advisory #2023-133
Versie: 
1.0
Geïmpacteerde software: 
CVE-2023-23368 affected QTS versions:
• QTS 5.0.x and 4.5.x
• QuTS hero h5.0.x and h4.5.x
• QuTScloud c5.0.1.
CVE-2023-23369 affected QTS versions:
• 5.1.x
• 4.3.6
• 4.3.4
• 4.3.3
• Multimedia Console 2.1.x and 1.4.x
• Media Streaming add-on 500.1.x and 500.0.x
Type: 
Command injection vulnerabilities
CVE/CVSS: 

CVE-2023-23368: CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-23369: CVSS 9.0(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Datum: 
07/11/2023

Bronnen

https://nvd.nist.gov/vuln/detail/CVE-2023-23368
https://nvd.nist.gov/vuln/detail/CVE-2023-23369

Risico’s

QNAP Systems published security advisories for two critical command injection vulnerabilities that impact multiple versions of the QTS operating system and applications on its network-attached storage (NAS) devices.

The first flaw is being tracked as CVE-2023-23368 and has a critical severity rating of 9.8 out of 10. It is a command injection vulnerability that a remote attacker can exploit to execute commands via a network.

The second vulnerability is identified as CVE-2023-23369 and has a lower severity rating of 9.0 and could also be exploited by a remote attacker to the same effect as the previous one.

Both the vulnerabilities have a HIGH Impact on Confidentiality, Integrity, and Availability. No user Interaction Is required to exploit these vulnerabilities.

Beschrijving

The two vulnerabilities (CVE-2023-23368 and CVE-2023-23369) affects several QNAP operating systems versions. When exploited, the vulnerabilities could allow users to execute commands via a network. 

Since the QNAP operating system Is used on NAS devices that are typically used to store data, command execution flaws could have a serious impact as cybercriminals are often looking for new targets to steal and/or encrypt sensitive data from.

Aanbevolen acties

The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:

For CVE-2023-23368, fixes are available in the following releases:

  • QTS 5.0.1.2376 build 20230421 and later
  • QTS 4.5.4.2374 build 20230416 and later
  • QuTS hero h5.0.1.2376 build 20230421 and later
  • QuTS hero h4.5.4.2374 build 20230417 and later
  • QuTScloud c5.0.1.2374 and later

For CVE-2023-23369, fixes are available in the following releases:

  • QTS 5.1.0.2399 build 20230515 and later
  • QTS 4.3.6.2441 build 20230621 and later
  • QTS 4.3.4.2451 build 20230621 and later
  • QTS 4.3.3.2420 build 20230621 and later
  • QTS 4.2.6 build 20230621 and later
  • Multimedia Console 2.1.2 (2023/05/04) and later
  • Multimedia Console 1.4.8 (2023/05/05) and later
  • Media Streaming add-on 500.1.1.2 (2023/06/12) and later
  • Media Streaming add-on 500.0.0.11 (2023/06/16) and later

Referenties

https://www.bleepingcomputer.com/news/security/qnap-warns-of-critical-command-injection-flaws-in-qts-os-apps/
https://therecord.media/qnap-urgently-fixing-vulnerabilities-in-systems