[German]Owners of QNAP NAS drives are at risk from the critical vulnerability CVE-2024-21899. This allows access to devices without requiring authentication via username and password. The manufacturer has released security updates to its vulnerable operating systems to close the vulnerability.
Advertising
I came across a tweet with the content "CVE-2024-21899 (CVSS 9.8): Critical QNAP Flaw Opens Door to Hackers This bug means attackers can slither into your NAS without needing a username or password." brought the issue to my attention. According to the tweet, more than 3 million devices have been found that have the vulnerability and are accessible via the Internet. The colleagues from Bleeping Computer have published this article on the subject. QNAP has published the security advisory qsa-24-09: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, and myQNAPcloud on March 9, 2024. In the products listed below:
QTS 5.1.x, 4.5.x; QuTS hero h5.1.x, h4.5.x; QuTScloud c5.x; myQNAPcloud 1.0.x
there are the critical vulnerabilities:
- CVE-2024-21899: The vulnerability could allow users to compromise the security of the system over a network during authentication.
- CVE-2024-21900: The injection vulnerability allows authenticated users to execute commands over a network.
- CVE-2024-21901: The SQL injection vulnerability could allow authenticated administrators to inject malicious code over a network.
The vulnerabilities are fixed in the following software versions:
- QTS 5.1.x: QTS 5.1.3.2578 build 20231110 and later
- QTS 4.5.x: QTS 4.5.4.2627 build 20231225 and later
- QuTS hero h5.1.x: QuTS hero h5.1.3.2578 build 20231110 and later
- QuTS hero h4.5.x: QuTS hero h4.5.4.2626 build 20231225 and later
- QuTScloud c5.x: QuTScloud c5.1.5.2651 and later
- myQNAPcloud 1.0.x: myQNAPcloud 1.0.52 (2023/11/24) and later
Owners of of these QNAP products should install the software versions mentioned immediately in order to eliminate the critical vulnerabilities.
