Close

Product

Operating System

Solution

Support

eShop

Where To Buy

About Us

Member United States / Canada - English
NAS- Network Attached Storage
Expansion Units
Cloud Storage
DAS & Accessories
High-speed Network Switches
SD-WAN Routers
Intel x86 Smart Edge Switch
NDR Cybersecurity Appliances
Network Virtualization uCPE
Accessories
Expansion Cards/ Interface Cards
Video Surveillance System
Video Conferencing Appliance
QTS

QTS

QTS is the operating system for entry- and mid-level QNAP NAS. WIth Linux and ext4, QTS enables reliable storage for everyone with versatile value-added features and apps, such as snapshots, Plex media servers, and easy access of your personal cloud.

System
Applications
QuTS hero

QuTS hero

QuTS hero is the operating system for high-end and enterprise QNAP NAS models. With Linux and ZFS, QuTS hero supports advanced data reduction technologies for further driving down costs and increasing reliablility of SSD (all-flash) storage.

System
Applications
QuTScloud

QuTScloud

QuTScloud is the operating system for QNAP Cloud NAS virtual appliances. With the possibility of on-premises and cloud deployment, QuTScloud enables optimized cloud data usage and flexible resource allocation at a predictable monthly cost.

System
Applications
QES

QES

QES is the operating system for dual-controller QNAP NAS models. With FreeBSD and ZFS, QES is flash-optimized, capable of driving outstanding performance for all-flash storage arrays.

System
Product
Resources
QNE Network

QNE Network

QNE Network is the operating system for QuCPE, QNAP's universal customer premises equipment series. Run virtual network functions, freely configure software-defined networks, and enjoy benefits such as lowered costs and reduced management efforts.

System
Applications
QSS

QSS

QNAP Switch System (QSS) is the configuration interface for QNAP's managed switch series. Enable management functions such as link aggregation, VLAN, and RSTP, to take care of your network topology with ease.

System
QuRouter

QuRouter

QNAP’s QuRouter OS simplifies managing high-speed and high-coverage LAN/WAN. With NAT, VPN, security, and QuWAN SD-WAN, network management is made easier and remote connections more secure.

System
Applications
QVR Surveillancee

QVR Surveillancee

QVR Surveillance is QNAP’s network video recorder software solution. It offers subscription-based QVR Elite and perpetual QVR Pro, and can be used with a series of apps, such as face recognition and door access control for a wider range of scenarios.

System
Applications
Resources
QVR Face

QVR Face

QVR Face is a smart facial recognition solution featuring real-time live streaming video analytics from connected cameras. It can be integrated into multiple scenarios to provide intelligent attendance management, door access control management, VIP welcome systems and smart retail services.

System
Applications
Resources
KoiMeeter

KoiMeeter

QNAP smart video solutions provides integrated intelligent packages such as video conferencing and smart retail, boosting productivity for individuals and businesses.

Video Conferencing
Smart Retail
Solution
Support
Where To Buy
About Us
Search

Security ID : QSA-23-57

Multiple Vulnerabilities in QTS, QuTS hero and QuTScloud

  • Release date : February 13, 2024

  • CVE identifier : CVE-2023-47218 | CVE-2023-50358

  • Affected products: QTS 5.x, 4.x; QuTS hero h5.x, h4.x, QuTScloud 5.x

Severity

Medium

Status

Resolved

Summary

Multiple vulnerabilities have been reported to affect several QNAP operating system versions. If exploited, the OS command injection vulnerabilities could allow users to execute commands via a network.

    

We have already fixed the vulnerabilities in the following versions.

  

To fully fix the vulnerabilities, you must install one of the fully fixed versions.

  

If you do not want to install a fully fixed version for your device, you can still mitigate the vulnerabilities by installing a partially fixed version. However, note that the vulnerabilities still exist during the installation process of a partially fixed version. The vulnerabilities only disappear after installation is complete.

Affected Product Severity Partially Fixed Version Fully Fixed Version
QTS 5.1.x Medium QTS 5.1.0.2444 build 20230629 and later QTS 5.1.5.2645 build 20240116 and later
QTS 5.0.1 Medium QTS 5.0.1.2145 build 20220903 and later QTS 5.1.5.2645 build 20240116 and later
QTS 5.0.0 High QTS 5.0.0.1986 build 20220324 and later QTS 5.1.5.2645 build 20240116 and later
QTS 4.5.x, 4,4,x High QTS 4.5.4.2012 build 20220419 and later QTS 4.5.4.2627 build 20231225 and later
QTS 4.3.6, 4.3.5 High QTS 4.3.6.2665 build 20240131 and later QTS 4.3.6.2665 build 20240131 and later
QTS 4.3.4 High QTS 4.3.4.2675 build 20240131 and later QTS 4.3.4.2675 build 20240131 and later
QTS 4.3.x High QTS 4.3.3.2644 build 20240131 and later QTS 4.3.3.2644 build 20240131 and later
QTS 4.2.x High QTS 4.2.6 build 20240131 and later QTS 4.2.6 build 20240131 and later
QuTS hero h5.1.x Medium QuTS hero h5.1.0.2466 build 20230721 and later QuTS hero h5.1.5.2647 build 20240118 and later
QuTS hero h5.0.1 Medium QuTS hero h5.0.1.2192 build 20221020 and later QuTS hero h5.1.5.2647 build 20240118 and later
QuTS hero h5.0.0 High QuTS hero h5.0.0.1986 build 20220324 and later QuTS hero h5.1.5.2647 build 20240118 and later
QuTS hero h4.x High QuTS hero h4.5.4.1991 build 20220330 and later QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.x High QuTScloud c5.1.5.2651 and later QuTScloud c5.1.5.2651 and later

  

Recommendation

To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

Mitigation

If you do not want to update your operating system to the latest version, you can perform the following actions to mitigate the vulnerabilities.

  1. Test the following URL in your browser:

         https://<NAS IP address>:<NAS system port>/cgi-bin/quick/quick.cgi
     
    • If you get the following response (HTTP 404 error), your system is not vulnerable:
           "Page not found or the web server is currently unavailable. Please contact the website administrator for help."
    • If you get an empty page (HTTP 200), continue to the next step.
       
  2. Update your operating system to one of the following versions or later:
     
    • QTS 5.1.0.2444 build 20230629 and later
    • QTS 5.0.1.2145 build 20220903 and later
    • QTS 5.0.0.1986 build 20220324 and later
    • QTS 4.5.4.2012 build 20220419 and later
    • QTS 4.3.6.2665 build 20240131 and later
    • QTS 4.3.4.2675 build 20240131 and later
    • QTS 4.3.3.2644 build 20240131 and later
    • QTS 4.2.6 build 20240131 and later
    • QuTS hero h5.1.0.2466 build 20230721 and later
    • QuTS hero h5.0.1.2192 build 20221020 and later
    • QuTS hero h5.0.0.1986 build 20220324 and later
    • QuTS hero h4.5.4.1991 build 20220330 and later
        
  3. Test the above URL again in your browser.
    • If you get the following response (HTTP 404 error), your system is now free from the vulnerabilities:
           "Page not found or the web server is currently unavailable. Please contact the website administrator for help."
    • If you get an empty page (HTTP 200), please update firmware immediately.

Updating QTS, QuTS hero, or QuTScloud

  1. Log in to QTS, QuTS hero, or QuTScloud as an administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    The system downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Attachment

Acknowledgements:
Stephen Fewer, Principal Security Researcher at Rapid7
Palo Alto Networks Unit 42

Revision History:
V1.0 (February 13, 2024) - Published

Choose specification

      Show more Less

      Choose Your Country or Region

      open menu
      back to top