QNAP has released multiple security advisories for addressing several high, medium, and low-severity vulnerabilities in multiple products, including QTS, QuTS hero, Netatalk, Video Station, QuMagie, and QcalAgent.
QNAP has also stated all the affected products and their versions and the steps to update each product. The CVEs for these vulnerabilities are as follows:
- CVE-2023-45039 (Low – QTS and QuTS hero)
- CVE-2023-45040 (Low – QTS and QuTS hero)
- CVE-2023-45041 (Low – QTS and QuTS hero)
- CVE-2023-45042 (Low – QTS and QuTS hero)
- CVE-2023-45043 (Low – QTS and QuTS hero)
- CVE-2023-45044 (Low – QTS and QuTS hero)
- CVE-2022-43634 (High – Netatalk)
- CVE-2023-41287 (High-Video Station)
- CVE-2023-41288 (High-Video Station)
- CVE-2023-47219 (Low – QuMagie)
- CVE-2023-47559 (High – QuMagie)
- CVE-2023-47560 (High – QuMagie)
- CVE-2023-39294 (Medium – QTS and QuTS hero)
- CVE-2023-39296 (High – QTS and QuTS hero)
- CVE-2023-41289 (Medium – QcalAgent)
QTS and QuTS hero Vulnerabilities
CVE-2023-45039, CVE-2023-45040, CVE-2023-45041, CVE-2023-45042, CVE-2023-45043, and CVE-2023-45044 were associated with buffer copy, which was due to the insufficient checking in size of the input.
Exploiting this vulnerability could allow authenticated administrators to execute code through a network.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
The severity of this set of vulnerabilities has been given as low, according to the QNAP security advisory. However, CVE-2023-39294 and CVE-2023-39296 were given medium and high severity as per the security advisories.
CVE-2023-39294 was associated with OS command injection, which could allow authenticated administrators to execute commands through a network.
At the same time, CVE-2023-39296 was related to prototype pollution that could allow remote users to override existing attributes with incompatible types, resulting in the system’s crashing.
QuMagie Vulnerabilities
CVE-2023-47219 was a low-severity vulnerability associated with SQL injection that could allow an authenticated threat actor to inject malicious code via a network. CVE-2023-47559 and CVE-2023-47560 were a set of high-severity vulnerabilities linked to Cross-site scripting and OS command injection, respectively.
Both of these vulnerabilities require the threat actor to be an authenticated user. Exploiting these vulnerabilities could result in either the injection of malicious code (CVE-2023-47559) or the execution of commands through a network (CVE-2023-47560).
Video Station Vulnerabilities
CVE-2023-41287 and CVE-2023-41288 were another set of vulnerabilities reported on a QNAP security advisory. CVE-2023-41287 was an SQL injection vulnerability, and CVE-2023-41288 was an OS command injection vulnerability.
These vulnerabilities were marked as high severity by QNAP. However, both vulnerabilities affect Video Station version 5.7.x and have been fixed in Video Station 5.7.2 and later versions.
Netatalk and QcalAgent
The Netatalk vulnerability has been given the CVE-2022-43634, and its severity is high. However, QNAP has not released any other details about this vulnerability or its category. However, according to the security advisory, this vulnerability affects the QTS 5.1.x version and has been fixed in QTS 5.1.3.2578 build 20231110 and later.
CVE-2023-41289 was another OS command injection vulnerability reported to be affecting QcalAgent. This vulnerability was given as a medium severity in the security advisory and mentioned to be affecting QcalAgent 1.1.x
All of the affected products have been fixed, and patches have been released. It is recommended for organizations that use these products to upgrade to the latest versions to prevent becoming prey for threat actors.