Les Bell
Blog entry by Les Bell
NAS Vendor QNAP has released fixes for two remote command execution vulnerabilities in their QTS, QuTS hero and QuTS cloud operating systems. The vulnerabilities are:
- CVE-2023-23368 (CVSS 3.1 score: 9.8), a command injection vulnerability affecting:
- QTS 5.0.x (fixed in QTS 5.0.1.2376 build 20230421 and later)
- QTS 4.5.x (fixed in QTS 4.5.4.2374 build 20230416 and later)
- QuTS hero h5.0.x (fixed in QuTS hero h5.0.1.2376 build 20230421 and later)
- QuTS hero h4.5.x (fixed in QuTS hero h4.5.4.2374 build 20230417 and later)
- QuTScloud c5.0.x (fixed in QuTScloud c5.0.1.2374 and later)
- CVE-2023-23369 (CVSS 3.1 score 9.8), a command injection vulnerability affecting:
- QTS 5.1.x (fixed in QTS 5.1.0.2399 build 20230515 and later)
- QTS 4.3.6 (fixed in QTS 4.3.6.2441 build 20230621 and later)
- QTS 4.3.4 (fixed in QTS 4.3.4.2451 build 20230621 and later)
- QTS 4.3.3 (fixed in QTS 4.3.3.2420 build 20230621 and later)
- QTS 4.2.x (fixed in QTS 4.2.6 build 20230621 and later)
- Multimedia Console 2.1.x (fixed in Multimedia Console 2.1.2 (2023/05/04) and later)
- Multimedia Console 1.4.x (fixed in Multimedia Console 1.4.8 (2023/05/05) and later)
- Media Streaming add-on 500.1.x (fixed in Media Streaming add-on 500.1.1.2 (2023/06/12) and later)
- Media Streaming add-on 500.0.x (fixed in Media Streaming add-on 500.0.0.11 (2023/06/16) and later)
These are all fairly old versions of the software, as revealed by the version numbers of the fixed updates, and so most well-maintained installations will be unaffected - and those that are should obviously update immediately.
After all, the beauty of NAS appliances such as those from QNAP and Synology is that admins don't need to get down in the weeds with Linux command-line administration - but they do have to still follow good admin practices such as proactive patching. On the QNAP devices, this is as simple as logging in with an admin account, opening the Control Panel, selecting Firmware Update and clicking the "Check for Updates" button, which will kick off the update process (right). And it's not even necessary to log in regularly - the server can notify you or even automatically install critical updates. It's also possible to do this from your phone, via the Qmanager app.
Really, people, there are no excuses . . .
QNAP Inc., Vulnerability in QTS, QuTS hero, and QuTScloud, security advisory QSA-23-31, 4 November 2023. Available online at https://www.qnap.com/en-uk/security-advisory/qsa-23-31.
QNAP Inc., Vulnerability in QTS, Multimedia Console, and Media Streaming add-on, security advisory QSA-23-35, 4 November 2023. Available online at https://www.qnap.com/en-uk/security-advisory/qsa-23-35,
Upcoming Courses
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
- SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
- SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
- SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
- SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
About this Blog
I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.
These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.