Two critical OS command injection flaws have been discovered in multiple QNAP products, which include QTS, Multimedia Console, Media Streaming add-on, QuTS Hero, and QuTScloud.
These vulnerabilities existed in the QTS operating system and applications on network-attached storage (NAS) devices, which are used to store many sensitive data.
Hence, a command injection flaw on a NAS device could lead to the leakage of several sensitive pieces of information, which threat actors can use for many malicious purposes, including ransom demands.
The CVEs for these vulnerabilities have been assigned as CVE-2023-23368 and CVE-2023-23369, with severities of 9.0 (critical) and 9.8 (Critical), respectively. However, QNAP has released security advisories for fixing these vulnerabilities.
CVE-2023-23368: OS Command Injection Vulnerability
This vulnerability exists in several QNAP operating system versions, which threat actors can exploit to execute commands via a network. The severity of this vulnerability has been given as 9.0 (Critical).
C-2023-23369: OS Command Injection Vulnerability
This vulnerability exists in multiple QNAP operating systems and application versions, which could allow threat actors to execute remote commands on affected versions. The severity of this vulnerability has been given as 9.8 (Critical).
Also Read: 12 Best Vulnerability Management Tools 2023
Affected Products and Fixed in Version
CVE ID | Affected Product | Fixed Version |
CVE-2023-23368 | QTS 5.0.xQTS 4.5.xQuTS hero h5.0.xQuTS hero h4.5.xQuTScloud c5.0.x | QTS 5.0.1.2376 build 20230421 and laterQTS 4.5.4.2374 build 20230416 and laterQuTS hero h5.0.1.2376 build 20230421 and laterQuTS hero h4.5.4.2374 build 20230417 and laterQuTScloud c5.0.1.2374 and later |
CVE-2023-23369 | QTS 5.1.xQTS 4.3.6QTS 4.3.4QTS 4.3.3QTS 4.2.xMultimedia Console 2.1.xMultimedia Console 1.4.xMedia Streaming add-on 500.1.xMedia Streaming add-on 500.0.x | QTS 5.1.0.2399 build 20230515 and laterQTS 4.3.6.2441 build 20230621 and laterQTS 4.3.4.2451 build 20230621 and laterQTS 4.3.3.2420 build 20230621 and laterQTS 4.2.6 build 20230621 and laterMultimedia Console 2.1.2 (2023/05/04) and laterMultimedia Console 1.4.8 (2023/05/05) and laterMedia Streaming add-on 500.1.1.2 (2023/06/12) and laterMedia Streaming add-on 500.0.0.11 (2023/06/16) and later |
Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.
How to Update?
- 1. Log in to to the affected versions as an administrator
- 2. Go to Control Panel > System > Firmware Update
- 3. Under Live Update, click Check for Update
For updating Multimedia Console,
- 1. Log on to QTS as an administrator.
- 2. Open the App Center and then click .
- 3. Inside the search box appears Type “Multimedia Console” and then press ENTER.
- 4. In the Multimedia console, Click Update.
- 5. After updating, Click OK.
For updating Media Streaming Add-on,
- 1. Log on to QTS as an administrator.
- 2. Open the App Center
- 3. Inside the search box, type “Media Streaming add-on” and then press ENTER.
- 4. In the Media Streaming add-on console, Click Update.
- 5. After updating, Click OK.
However, The Update button is unavailable if your version is already up to date.
For more information, QNAP has also released steps to fix these vulnerabilities. Users of these products are recommended to upgrade to the latest versions of these products to prevent these vulnerabilities from getting exploited.
Patch Manager Plus: Automatically Patch over 850 third-party applications quickly – Try Free Trial.