Advisory No: TZCERT/SA/2024/03/21-01

Date of First Release: 21^st March 2024

Source: QNAP

Software Affected: QTS, QuTS hero, QuTScloud, myQNAPcloud

Overview:

QNAP has released security patches to address the critical vulnerabilities affecting QTS, QuTS hero, QuTScloud, and myQNAPcloud . These vulnerabilities could allow an attacker to inject malicious code and execute code via a network.

Description:

QTS, QuTS hero, QuTScloud, and myQNAPcloud are affected with the following vulnerabilities. CVE-2024-21899; an improper authentication mechanism that could allow attackers to compromise a system remotely. CVE-2024-21900 could allow unauthorized users to execute arbitrary commands on the system via a network. CVE-2024-21901 could allow attackers to inject malicious SQL code through the network.

Impact:

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.

Solution:

QNAP has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.qnap.com/en/security-advisory/qsa-24-09
2. https://www.cybersecurity-help.cz/vdb/SB2024031110

Wordfence has released security updates to address vulnerabilities in Appointment Booking Calendar, File Manager, Avada, WooCommerce Cloak, Management App for WooCommerce and UX Flat. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Users and administrators are encouraged to review Wordfence Security Advisories simply-schedule-appointments, file-manager, Avada, woocommerce-cloak, wemanage-app-worker and ux-flat and apply necessary updates.

Ubuntu has released security updates to address vulnerabilities in Linux kernel and Firefox. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Users and administrators are encouraged to review Ubuntu Security Advisories USN-6702-2 and USN-6703-1 and apply necessary updates.

Atlassian has released security updates to address vulnerabilities in multiple products. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Users and administrators are encouraged to review Atlassian Security Advisory and apply necessary updates.

Oracle has released security updates to address vulnerabilities in Oracle Solaris and Oracle Linux. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Users and administrators are encouraged to review Oracle Security Advisories bulletinjan2024, ELSA-2024-1436, ELSA-2024-1249, ELSA-2024-1427, ELSA-2024-19480, ELSA-2024-1376, ELSA-2024-12233 and ELSA-2024-12226 and apply necessary updates.