QNAP patched three vulnerabilities in its network-attached storage (NAS) products, one of which with a critical CVSS score of 9.8, and the other two of medium severity, both which have CVSS scores well under 5.0.
In a March 9 advisory to its customers, QNAP said, if exploited, the critical flaw — CVE-2024-21899 — the improper authentication bug could let users compromise the security of the system via a network.
In the meantime, the CVE-2024-21900 injection vulnerability could let users execute commands via a network if exploited. The third flaw — CVE-2024-21901 — if exploited, the SQL injection vulnerability could let authenticated administrators inject malicious code via a network.
QNAP said it fixed the following versions of its products: QTS 5.1.x; QTS 4.5.x; QuTS hero h5.1.x; QuTS hero h4.5.x; QuTScloud c5.x; and my QNAPcloud 1.0.x.
The vendor recommended that security teams running QNAP NAS devices should regularly update their systems and applications to the latest version to benefit from the vulnerability fixes. The company made no mention as to whether these bugs were actively exploited in the wild. QNAP made a similar set of patches to QNAP NAS devices in January.
As IoT devices often are, QNAP NAS devices reside in many parts of an organization and often are managed outside of IT, pointed out Bud Broomhead, chief executive officer at Viakoo. While QNAP deserved credit for finding and issuing patches ahead of vulnerabilities being exploited, Broomhead said there will likely be a significant time lag before QNAP devices in the field are secured. Because QNAP NAS devices are high-volume IoT devices deployed outside of IT, Broomhead said it’s often difficult for teams to know that they have them.
“One might ask why with a high-severity score QNAP does not simply force the patch to be updated on all devices?” asked Broomhead. “That’s the problem with IoT devices, patching often needs to be scheduled and coordinated so that downtime does not impact operations. Automated IoT patching mechanisms where the end user can set schedules for updates is what teams need to ensure threat actors can’t take advantage of these vulnerabilities.”
QNAP added that security teams can check its product support status page to see the latest updates available to each specific QNAP NAS model.
