QNAP QTS update closes vulnerabilities (March 29, 2023)

Sicherheit (Pexels, allgemeine Nutzung)[German]As of March 29, 2023, manufacturer QNAP has published a security advisory for its QTS operating system. With an update of the QTS software, the manufacturer closes the vulnerabilities CVE-2022-3437, CVE-2022-3592, CVE-2022-27597, CVE-2022-27598, CVE-2022-42898, CVE-2023-22809. Here is a brief overview of this issue.


A German blog reader alerted me in a comment about the QNAP security advisory QTS build 20230322, dated March 29, 2023. The Taiwan-based manufacturer is offering a firmware update for its NAS drives that closes vulnerabilities CVE-2022-3437, CVE-2022-3592, CVE-2022-27597, CVE-2022-27598, CVE-2022-42898 and CVE-2023-22809. Details of these vulnerabilities can be found in the QNAP Security Advisories, which document additional vulnerabilities as early as March 30, 2023. The vulnerability CVE-2023-22809 exists in sudo of the firmware variants QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances). According to the advisory, the vulnerability is designated as high and affects the following OS versions:

  • QTS build 20230322 and later
  • QuTS hero h5.0.1.2348 build 20230324 and later

QNAP recommends updating the NAS systems to the latest version of the operating system to eliminate the vulnerabilities. The affected products (QNAS models) can be found in the advisory QTS build 20230322.

The update in question also fixed an issue that caused low download speeds on the TVS-h1688X after installing the QXP-T32P expansion card. Fixed an issue where a NAS would unexpectedly log out of a VPN connection when the NAS was used as a VPN client to connect to an OpenVPN server.

However, QNAP lists several known issues in its advisory. QTS and QuTS hero with newer kernel versions do not support ATTO Fibre Channel adapters. If you already have an ATTO Fibre Channel adapter installed on your device, we recommend not upgrading the firmware to QTS 5.0.1 or QuTS hero h5.0.1 for now.

The Thunderbolt connection between the NAS and Mac sometimes cannot be restored automatically after the user reboots the NAS. In addition, network connectivity issues may occur when users add both 10GbE ports of the QXG-10G2SF-CX4 network expansion card to a virtual switch.


Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security, Software, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *