QNAP warns of critical auth bypass flaw in its NAS devices

QNAP warns of vulnerabilities in its NAS software products, including QTS, QuTS hero, QuTScloud, and myQNAPcloud, that could allow attackers to access devices.

The Taiwanese Network Attached Storage (NAS) device maker disclosed three vulnerabilities that can lead to an authentication bypass, command injection, and SQL injection.

While the last two require the attackers to be authenticated on the target system, which significantly lessens the risk, the first (CVE-2024-21899) can be executed remotely without authentication and is marked as "low complexity."

The three flaws fixed are the following:

• CVE-2024-21899: Improper authentication mechanisms allow unauthorized users to compromise the system's security through the network (remotely).
• CVE-2024-21900: This vulnerability could allow authenticated users to execute arbitrary commands on the system via a network, potentially leading to unauthorized system access or control.
• CVE-2024-21901: This flaw could enable authenticated administrators to inject malicious SQL code through the network, potentially compromising the database integrity and manipulating its contents.

The flaws impact various versions of QNAP's operating systems, including QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and the myQNAPcloud 1.0.x service.

Users are recommended to upgrade to the following versions, which address the three flaws:

• QTS 5.1.3.2578 build 20231110 and later
• QTS 4.5.4.2627 build 20231225 and later
• QuTS hero h5.1.3.2578 build 20231110 and later
• QuTS hero h4.5.4.2626 build 20231225 and later
• QuTScloud c5.1.5.2651 and later
• myQNAPcloud 1.0.52 (2023/11/24) and later

For QTS, QuTS hero, and QuTScloud, users must log in as administrators, navigate to 'Control Panel > System > Firmware Update,' and click 'Check for Update' to launch the automatic installation process.

To update myQNAPcloud, log in as admin, open the 'App Center,' click on the search box, and type "myQNAPcloud" + ENTER. The update should appear in the results. Click on the 'Update' button to start.

NAS devices often store large amounts of valuable data for businesses and individuals, including sensitive personal information, intellectual property, and critical business data. At the same time, they are not closely monitored, remain always connected and exposed to the internet, and could be using outdated OS/firmware.

For all these reasons, NAS devices are often targeted for data theft and extortion.

Some ransomware operations previously known for targeting QNAP devices are DeadBolt, Checkmate, and Qlocker. 

These groups have launched numerous attack waves against NAS users, sometimes leveraging zero-day exploits to breach fully patched devices.

The best advice for NAS owners is to always keep your software update, and even better, don't expose these types of devices to the internet.