Advisory No: TZCERT/SA/2024/03/21-01
Date of First Release: 21st March 2024
Source: QNAP
Software Affected: QTS, QuTS hero, QuTScloud, myQNAPcloud
Overview:
QNAP has released security patches to address the critical vulnerabilities affecting QTS, QuTS hero, QuTScloud, and myQNAPcloud . These vulnerabilities could allow an attacker to inject malicious code and execute code via a network.
Description:
QTS, QuTS hero, QuTScloud, and myQNAPcloud are affected with the following vulnerabilities. CVE-2024-21899; an improper authentication mechanism that could allow attackers to compromise a system remotely. CVE-2024-21900 could allow unauthorized users to execute arbitrary commands on the system via a network. CVE-2024-21901 could allow attackers to inject malicious SQL code through the network.
Impact:
Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.
Solution:
QNAP has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
References: