Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

QNAP Patches Vulnerabilities Exploited at Pwn2Own

QNAP has released patches for multiple high-severity QTS and QuTS Hero vulnerabilities disclosed at the Pwn2Own Ireland 2024 hacking contest.

QNAP vulnerabilities

Taiwan-based QNAP Systems over the weekend announced patches for multiple QTS and QuTS Hero vulnerabilities demonstrated at the Pwn2Own Ireland 2024 hacking contest.

At Pwn2Own, participants earned tens of thousands of dollars for QNAP product exploits, and one entry even earned white hat hackers $100,000, but it involved chaining not only QNAP but also TrueNAS device vulnerabilities. 

The most severe of the security holes is CVE-2024-50393 (CVSS score of 8.7), a command injection flaw that could allow remote attackers to execute arbitrary commands on vulnerable devices.

Next in line is CVE-2024-48868 (CVSS score of 8.7), a Carriage Return and Line Feed (CRLF) injection bug that could be exploited to modify application data. The CRLF special elements are embedded in code such as HTTP headers to signify End of Line (EOL) markers.

QNAP has included patches for these security defects in QTS 5.1.9.2954 build 20241120, QTS 5.2.2.2950 build 20241114, QuTS Hero h5.1.9.2954 build 20241120, and QuTS Hero h5.2.2.2952 build 20241116.

The software updates also resolve CVE-2024-48865 (CVSS score of 7.3), an improper certificate validation vulnerability that could allow local network attackers to compromise the security of the system.

Additionally, the updates patch medium-severity improper authentication and CRLF injection flaws, and low-severity Hex encoding and externally-controlled format string security defects.

Over the weekend, QNAP also announced patches for a high-severity vulnerability in License Center. Tracked as CVE-2024-48863 (CVSS score of 7.7), the issue could allow remote attackers to execute arbitrary commands.

Advertisement. Scroll to continue reading.

Patches for the bug were included in QNAP License Center 1.9.43. To update to the latest version, users need to log in to QTS or QuTS Hero as an administrator, open App Center, find License Center using the search function, and click on the update button, which only appears if License Center is not up to date.

QNAP over the weekend also announced the release of Qsync Central version 4.4.0.16_20240819 (2024/08/19), which patches a medium-severity flaw that “could allow remote attackers who have gained user access to traverse the file system to unintended locations”.

While QNAP makes no mention of any of these vulnerabilities being exploited in the wild, users should update their instances as soon as possible, as vulnerable QNAP devices have been frequently targeted in attacks. Additional information can be found on QNAP’s security advisories page.

Related: Synology, QNAP, TrueNAS Address Vulnerabilities Exploited at Pwn2Own Ireland

Related: QNAP Rushes Patch for Code Execution Flaw in NAS Devices

Related: Raspberry Pi Removes Default User to Improve Security

Related: SonicWall Patches 6 Vulnerabilities in Secure Access Gateway

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.