NAS vendor QNAP Systems has urgently released patches for no fewer than 24 vulnerabilities across its product range, including two high-severity flaws that could allow command execution.
Despite the severity of these vulnerabilities, QNAP has not reported any cases of these bugs being exploited in the wild. The Taiwan-based company's move is rather a proactive measure against potentially very damaging exploits.
According to Security Week, the most concerning vulnerabilities, called CVE-2023-45025 and CVE-2023-39297, are operating system command injection flaws. These flaws are present in QTS versions 5.1.x and 4.5.x, QuTS hero versions h5.1.x and h4.5.x, and QuTScloud version 5.x. The first of them can be manipulated by users to execute commands over a network under certain system configurations, while the second requires authentication for successful exploitation.
Patch now!
QNAP also released patches for two additional vulnerabilities, CVE-2023-47567 and CVE-2023-47568. These remotely exploitable flaws are present in QTS, QuTS hero, and QuTScloud and require administrator authentication for successful exploitation. The first is an operating system command injection, while the second is a SQL injection vulnerability.
These four security flaws have been fixed in the latest versions of QTS, QuTS hero and QuTScloud. Another high severity vulnerability, CVE-2023-47564, affecting Qsync Central versions 4.4.x and 4.3.x has also been fixed. This bug could allow authenticated users to read or modify critical resources over a network.
In addition to these high severity flaws, QNAP has patched multiple medium severity vulnerabilities that could lead to code execution, DoS attacks, command execution, restriction bypass, sensitive data leak, and code injection.
For more detailed information about these vulnerabilities, users are recommended to visit the QNAP security advisory page.