QNAP has published a security advisory about two critical vulnerabilities that could allow remote attackers to execute commands via a network.
One of the vulnerabilities affects the QTS and QuTS operating systems (OS) for QNAP’s network attached storage systems (NAS). The second one can be found in versions of QTS, the Multimedia Console, and the Media Streaming add-on.
The first vulnerability, CVE-2023-23368 (CVSS score 9.8 out of 10), is an OS command injection vulnerability.
OS command injection (also known as shell injection) is a security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the device that is running an application, and typically fully compromise the application and all its data.
A fix is available for the vulnerability in the following versions:
- QTS 126.96.36.1996 build 20230421 and later
- QTS 188.8.131.524 build 20230416 and later
- QuTS hero h184.108.40.2066 build 20230421 and later
- QuTS hero h220.127.116.114 build 20230417 and later
- QuTScloud c18.104.22.1684 and later
To update QTS, QuTS hero, or QuTScloud you can:
- Log in to QTS, QuTS hero, or QuTScloud as an administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
- The system will download and install the latest available update.
If that doesn’t work for you, you can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
The second vulnerability, CVE-2023-23369 (CVSS score 9 out of 10), is also an OS command injection vulnerability that reportedly…
“The adventure of life is to learn. The purpose of life is to grow. The nature of life is to change. The challenge of life is to overcome. The essence of life is to care. The opportunity of like is to serve. The secret of life is to dare. The spice of life is to befriend. The beauty of life is to give.” —William Arthur Ward