QNAP warns of vulnerabilities CVE-2023-23368, CVE-2023-23369 in QTS

Posted on 2023-11-13 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]Catching up from last week – the NAS manufacturer QNAP has published a security warning for its QTS operating system for NAS stations. The critical vulnerability CVE-2023-23368 (CVSS Index 9.8) allows remote execution of commands in older QTS versions. Another vulnerability CVE-2023-23369 (CVSS Index 9.0) also allows remote attacks. Updates are available to close the vulnerability. Here is an overview of this issue.

Advertising

The security alert QSA-23-31 is already dated November 4, 2023 and is titled Vulnerability in QTS, QuTS hero, and QuTScloud. CVE-2023-23368 is a command injection vulnerability that affects multiple QNAP operating system versions. Remote attackers can exploit this vulnerability to execute commands over a network. The vulnerability is classified as critical with a CVSS index of 9.8 (out of max. 10.0). The following operating system versions are affected:

  • QTS 5.0.x
  • QTS 4.5.x
  • QuTS hero h5.0.x
  • QuTS hero h4.5.x
  • QuTScloud c5.0.x

The manufacturer QNAP has released the following updates, which close the above vulnerability, among others:

  • QTS 5.0.1.2376 build 20230421 and later
  • QTS 4.5.4.2374 build 20230416 and later
  • QuTS hero h5.0.1.2376 build 20230421 and later
  • QuTS hero h4.5.4.2374 build 20230417 and later
  • QuTScloud c5.0.1.2374 and later

It is recommended by QNAP to update the software of existing NAS drives with the latest firmware updates to close such vulnerabilities. The procedure is described on the QNAP website.

The colleagues from Bleeping Computer also mention a second vulnerability CVE-2023-23369, which is documented in the security alert QSA-23-35 dated Nov. 4, 2023. The vulnerability has a CVSS index of 9.0 and can also be exploited remotely. Affected products are:

  • QTS 5.1.x, 4.3.6, 4.3.4, 4.3.3, 4.2.x;
  • Multimedia Console 2.1.x, 1.4.x;
  • Media Streaming Add-on 500.1.x, 500.0.x

The vulnerability will be closed by the following software updates:

Advertising
  • QTS 5.1.0.2399 build 20230515 and later
  • QTS 4.3.6.2441 build 20230621 and later
  • QTS 4.3.4.2451 build 20230621 and later
  • QTS 4.3.3.2420 build 20230621 and later
  • QTS 4.2.6 build 20230621 and later
  • Multimedia Console 2.1.2 (2023/05/04) and later
  • Multimedia Console 1.4.8 (2023/05/05) and later
  • Media Streaming add-on 500.1.1.2 (2023/06/12) and later
  • Media Streaming add-on 500.0.0.11 (2023/06/16) and later

The update procedure can also be found in the advisory QSA-23-35.

Advertising
This entry was posted in devices, Security, Software, Update and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).