Taiwan-based QNAP Systems on Friday announced patches for a dozen vulnerabilities across its product portfolio, including high-severity flaws in its operating system.
The first of the high-severity issues is CVE-2023-39296, which is described as a prototype pollution flaw that could allow remote attackers “to override existing attributes with ones that have an incompatible type, which may cause the system to crash”, QNAP explains in its advisory.
The bug affects QTS versions 5.1.x and QuTS hero versions h5.1.x and was resolved with the release of QTS 5.1.3.2578 build 20231110 and QuTS hero h5.1.3.2578 build 20231110.
The two releases also address CVE-2022-43634, a security defect in Netatalk that could allow attackers to execute arbitrary code remotely, without authentication.
“The specific flaw exists within the dsi_writeinit function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root,” a NIST advisory reads.
On Friday, QNAP also released patches for two high-severity vulnerabilities in Video Station – an SQL injection (CVE-2023-41287) and an OS command injection (CVE-2023-41288) – that could be exploited over the network. Video Station version 5.7.2 resolves both issues.
Two other high-severity, remotely exploitable bugs were addressed with the release of QuMagie 2.2.1, namely CVE-2023-47559, a cross-site scripting (XSS) flaw, and CVE-2023-47560, an OS command injection defect.
Additionally, QNAP announced patches for multiple other medium- and low-severity vulnerabilities in QTS, QuTS hero, QcalAgent, and QuMagie. Details on these flaws can be found on QNAP’s security advisories page.
QNAP makes no mention of any of these security holes being exploited in the wild, but threat actors are known to target unpatched QNAP appliances in malicious attacks.
Mainly known for its network-attached storage (NAS) and professional network video recorder (NVR) products, QNAP also manufactures various types of networking equipment.
Related: CISA Warns of FXC Router, QNAP NVR Vulnerabilities Exploited in the Wild
Related: 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability
Related: QNAP Offering $20,000 Rewards via New Bug Bounty Program
Related: Critical QNAP Vulnerability Leads to Code Injection
