Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, and myQNAPcloud (CVE-2024-21899, CVE-2024-21900 and CVE-2024-21901)

Advisory No: TZCERT/SA/2024/03/21-01

Date of First Release: 21^st March 2024

Source: QNAP

Software Affected: QTS, QuTS hero, QuTScloud, myQNAPcloud

Overview:

QNAP has released security patches to address the critical vulnerabilities affecting QTS, QuTS hero, QuTScloud, and myQNAPcloud . These vulnerabilities could allow an attacker to inject malicious code and execute code via a network.

Description:

QTS, QuTS hero, QuTScloud, and myQNAPcloud are affected with the following vulnerabilities. CVE-2024-21899; an improper authentication mechanism that could allow attackers to compromise a system remotely. CVE-2024-21900 could allow unauthorized users to execute arbitrary commands on the system via a network. CVE-2024-21901 could allow attackers to inject malicious SQL code through the network.

Impact:

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.

Solution:

QNAP has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.qnap.com/en/security-advisory/qsa-24-09
2. https://www.cybersecurity-help.cz/vdb/SB2024031110