QNAP warns of critical command injection flaws in QTS OS, apps

QNAP Systems published security advisories for two critical command injection vulnerabilities that impact multiple versions of the QTS operating system and applications on its network-attached storage (NAS) devices.

The first flaw is being tracked as CVE-2023-23368 and has a critical severity rating of 9.8 out of 10. It is a command injection vulnerability that a remote attacker can exploit to execute commands via a network.

QTS versions affected by the security issue are QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1.

Fixes are available in the following releases: 

• QTS 5.0.1.2376 build 20230421 and later
• QTS 4.5.4.2374 build 20230416 and later
• QuTS hero h5.0.1.2376 build 20230421 and later
• QuTS hero h4.5.4.2374 build 20230417 and later
• QuTScloud c5.0.1.2374 and later

The second vulnerability is identified as CVE-2023-23369 and has a lower severity rating of 9.0 and could also be exploited by a remote attacker to the same effect as the previous one.

Impacted QTS versions include 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x, Multimedia Console 2.1.x and 1.4.x, and Media Streaming add-on 500.1.x and 500.0.x.

Fixes are available in:

• QTS 5.1.0.2399 build 20230515 and later
• QTS 4.3.6.2441 build 20230621 and later
• QTS 4.3.4.2451 build 20230621 and later
• QTS 4.3.3.2420 build 20230621 and later
• QTS 4.2.6 build 20230621 and later
• Multimedia Console 2.1.2 (2023/05/04) and later
• Multimedia Console 1.4.8 (2023/05/05) and later
• Media Streaming add-on 500.1.1.2 (2023/06/12) and later
• Media Streaming add-on 500.0.0.11 (2023/06/16) and later

To update QTS, QuTS hero, or QuTScloud, administrators can log in and navigate to Control Panel > System > Firmware Update, and click on "Check for Update" under Live Update to download and install the latest version. Updates are also available as manual downloads from QNAP's website.

Updating the Multimedia Console is possible by looking for the installation in the App Center and clicking the "Update" button (available only if a newer version exists). The process is similar for updating the Media Streaming add-on, which users can also locate by searching the App Center.

Since NAS devices are typically used to store data, command execution flaws could have a serious impact as cybercriminals are often looking for new targets to steal and/or encrypt sensitive data from. Attackers can then demand a ransom from the victim to not leak the data or to decrypt it.

QNAP devices have been targeted in the past in large-scale ransomware attacks. A year ago, the Deadbolt ransomware gang exploited a zero-day vulnerability to encrypt NAS devices exposed on the public internet.

That said, QNAP users are advised to apply the available security updates as soon as possible.