QNAP OS Command Injection Vulnerability Let Attackers Execute Malicious Commands

Two critical OS command injection flaws have been discovered in multiple QNAP products, which include QTS, Multimedia Console, Media Streaming add-on, QuTS Hero, and QuTScloud. 

These vulnerabilities existed in the QTS operating system and applications on network-attached storage (NAS) devices, which are used to store many sensitive data. 

Hence, a command injection flaw on a NAS device could lead to the leakage of several sensitive pieces of information, which threat actors can use for many malicious purposes, including ransom demands.

The CVEs for these vulnerabilities have been assigned as CVE-2023-23368 and CVE-2023-23369, with severities of 9.0 (critical) and 9.8 (Critical), respectively. However, QNAP has released security advisories for fixing these vulnerabilities. 

CVE-2023-23368: OS Command Injection Vulnerability 

This vulnerability exists in several QNAP operating system versions, which threat actors can exploit to execute commands via a network. The severity of this vulnerability has been given as 9.0 (Critical).

C-2023-23369: OS Command Injection Vulnerability

This vulnerability exists in multiple QNAP operating systems and application versions, which could allow threat actors to execute remote commands on affected versions. The severity of this vulnerability has been given as 9.8 (Critical).

Also Read: 12 Best Vulnerability Management Tools 2023

Affected Products and Fixed in Version

CVE IDAffected ProductFixed Version
CVE-2023-23368QTS 5.0.xQTS 4.5.xQuTS hero h5.0.xQuTS hero h4.5.xQuTScloud c5.0.xQTS 5.0.1.2376 build 20230421 and laterQTS 4.5.4.2374 build 20230416 and laterQuTS hero h5.0.1.2376 build 20230421 and laterQuTS hero h4.5.4.2374 build 20230417 and laterQuTScloud c5.0.1.2374 and later
CVE-2023-23369QTS 5.1.xQTS 4.3.6QTS 4.3.4QTS 4.3.3QTS 4.2.xMultimedia Console 2.1.xMultimedia Console 1.4.xMedia Streaming add-on 500.1.xMedia Streaming add-on 500.0.xQTS 5.1.0.2399 build 20230515 and laterQTS 4.3.6.2441 build 20230621 and laterQTS 4.3.4.2451 build 20230621 and laterQTS 4.3.3.2420 build 20230621 and laterQTS 4.2.6 build 20230621 and laterMultimedia Console 2.1.2 (2023/05/04) and laterMultimedia Console 1.4.8 (2023/05/05) and laterMedia Streaming add-on 500.1.1.2 (2023/06/12) and laterMedia Streaming add-on 500.0.0.11 (2023/06/16) and later
Document
FREE Webinar

Webinar on Cyber Resilience for Financial Sector

Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.

How to Update?

  • 1. Log in to the affected versions as an administrator
  • 2. Go to Control Panel > System > Firmware Update
  • 3. Under Live Update, click Check for Update

For updating Multimedia Console,

  • 1. Log on to QTS as an administrator.
  • 2. Open the App Center and then click  .
  • 3. Inside the search box appears Type “Multimedia Console” and then press ENTER.
  • 4. In the Multimedia console, Click Update.
  • 5. After updating, Click OK.

For updating Media Streaming Add-on,

  • 1. Log on to QTS as an administrator.
  • 2. Open the App Center
  • 3. Inside the search box, type “Media Streaming add-on” and then press ENTER.
  • 4. In the Media Streaming add-on console, Click Update.
  • 5. After updating, Click OK.

However,  The Update button is unavailable if your version is already up to date.

For more information, QNAP has also released steps to fix these vulnerabilities. Users of these products are recommended to upgrade to the latest versions of these products to prevent these vulnerabilities from getting exploited.

Patch Manager Plus: Automatically Patch over 850 third-party applications quickly – Try Free Trial.

Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.