QNAP has released critical security updates over the weekend to address multiple vulnerabilities affecting its NAS systems and routers. These flaws include three “critical” severity issues that could allow unauthorized system access and remote code execution. Users are strongly urged to update their devices immediately.
Notes Station 3 Vulnerabilities
Two critical flaws were found in Notes Station 3, a collaboration and note-taking app widely used in QNAP NAS devices:
- CVE-2024-38643: A missing authentication mechanism for critical functions allows remote attackers to gain unauthorized access and execute system commands. (CVSS v4 score: 9.3, “critical”).
- CVE-2024-38645: A server-side request forgery (SSRF) vulnerability enables authenticated attackers to manipulate server-side behavior and access sensitive data.
QNAP has fixed these issues in Notes Station 3 version 3.9.7. Users are advised to update immediately to mitigate risks. Full update instructions are available in QNAP’s official security bulletin.
Additional vulnerabilities, CVE-2024-38644 and CVE-2024-38646, rated as “high severity,” involve command injection and unauthorized data access. These require user-level access to exploit.
QuRouter Flaws
A critical vulnerability, CVE-2024-48860, impacts QNAP’s QuRouter 2.4.x devices. This OS command injection flaw could allow remote attackers to execute commands on the host system.
Another less severe issue, CVE-2024-48861, also involving command injection, has been patched. Both issues are resolved in QuRouter version 2.4.3.106, and QNAP recommends immediate updates.
Other QNAP Products Affected
QNAP addressed additional vulnerabilities across its ecosystem, including:
- CVE-2024-38647 (QNAP AI Core): Information exposure flaw that could let attackers access sensitive data. Resolved in AI Core version 3.4.1 and later.
- CVE-2024-48862 (QuLog Center): A link-following flaw that could allow unauthorized file system access. Fixed in QuLog Center versions 1.7.0.831 and 1.8.0.888.
- CVE-2024-50396 & CVE-2024-50397 (QTS and QuTS Hero): Format string handling vulnerabilities that could allow attackers to manipulate system memory or access sensitive data. Resolved in QTS 5.2.1.2930 and QuTS Hero h5.2.1.2929.
-
Protecting Your QNAP Devices
QNAP urges all users to install these updates as soon as possible to secure their systems against potential attacks.
Additionally:
- Ensure QNAP devices are not directly exposed to the Internet.
- Deploy devices behind a VPN for enhanced security.
- Regularly monitor for updates and apply them promptly.
By taking these precautions, users can mitigate risks and protect sensitive data from exploitation.
Trending: Chinese Hackers Exploit Zero-Day in FortiClient VPN with ‘DeepData’ Toolkit
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: info@blackhatethicalhacking.com