[German]NAS manufacturer QNAP has released security updates for devices that work with QTS, QuTS hero and QuTScloud on September 10, 2021. In addition, there are probably also security updates for routers with QuNetSwitch. The security updates are intended to close vulnerabilities that are already being exploited by attackers.
Advertising
Vulnerability CVE-2018-19957
According to this QNAP security advisory QNAP NAS with QTS, QuTS hero and QuTScloud are affected by a vulnerability. The CVE-2018-19957 vulnerability stems from insufficient HTTP security headers and allows remote attackers to launch privacy and security attacks. The following software releases fix this vulnerability:
- QTS 4.5.4.1715 build 20210630 and later
- QuTS hero h4.5.4.1771 build 20210825 and later
- QuTScloud c4.5.6.1755 build 20210809 and later
QNAP provides security advisories for updating the software here.
CVE-2021-28816 and CVE-2021-34343
CVE-2021-28816 and CVE-2021-34343 denote a stack buffer overflow vulnerability in QTS, QuTS hero, and QuTScloud, respectively. If exploited, these vulnerabilities allow attackers to execute arbitrary code. The following software releases fix this vulnerability:
- QTS 5.0.0.1716 build 20210701 and later
- QTS 4.5.4.1715 build 20210630 and later
- QTS 4.3.6.1750 build 20210730 and later
- QTS 4.3.3.1693 build 20210624 and later
- QuTS hero h4.5.4.1771 build 20210825 and later
- QuTScloud c4.5.6.1755 and later
QNAP provides security information about updating the software here.
Vulnerability CVE-2021-28813 in QuNetSwitch
Vulnerability CVE-2021-28813 allows remote attackers to read sensitive information by accessing an unrestricted storage mechanism. The vulnerability affects the router that QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. According to QNAP, the vulnerability is fixed with the following firmware.
Advertising
- QSW-M2116P-2T2S 1.0.6 build 210713 and later
- QGD-1600P: QuNetSwitch 1.0.6.1509 and later
- QGD-1602P: QuNetSwitch 1.0.6.1509 and later
- QGD-3014PT: QuNetSwitch 1.0.6.1519 and later
It is recommended, to update the devices as soon as possible, because it may be used in attacks to this devices.
