Taiwan-based QNAP Systems over the weekend announced patches for multiple QTS and QuTS Hero vulnerabilities demonstrated at the Pwn2Own Ireland 2024 hacking contest.
At Pwn2Own, participants earned tens of thousands of dollars for QNAP product exploits, and one entry even earned white hat hackers $100,000, but it involved chaining not only QNAP but also TrueNAS device vulnerabilities.
The most severe of the security holes is CVE-2024-50393 (CVSS score of 8.7), a command injection flaw that could allow remote attackers to execute arbitrary commands on vulnerable devices.
Next in line is CVE-2024-48868 (CVSS score of 8.7), a Carriage Return and Line Feed (CRLF) injection bug that could be exploited to modify application data. The CRLF special elements are embedded in code such as HTTP headers to signify End of Line (EOL) markers.
QNAP has included patches for these security defects in QTS 5.1.9.2954 build 20241120, QTS 5.2.2.2950 build 20241114, QuTS Hero h5.1.9.2954 build 20241120, and QuTS Hero h5.2.2.2952 build 20241116.
The software updates also resolve CVE-2024-48865 (CVSS score of 7.3), an improper certificate validation vulnerability that could allow local network attackers to compromise the security of the system.
Additionally, the updates patch medium-severity improper authentication and CRLF injection flaws, and low-severity Hex encoding and externally-controlled format string security defects.
Over the weekend, QNAP also announced patches for a high-severity vulnerability in License Center. Tracked as CVE-2024-48863 (CVSS score of 7.7), the issue could allow remote attackers to execute arbitrary commands.
Patches for the bug were included in QNAP License Center 1.9.43. To update to the latest version, users need to log in to QTS or QuTS Hero as an administrator, open App Center, find License Center using the search function, and click on the update button, which only appears if License Center is not up to date.
QNAP over the weekend also announced the release of Qsync Central version 4.4.0.16_20240819 (2024/08/19), which patches a medium-severity flaw that “could allow remote attackers who have gained user access to traverse the file system to unintended locations”.
While QNAP makes no mention of any of these vulnerabilities being exploited in the wild, users should update their instances as soon as possible, as vulnerable QNAP devices have been frequently targeted in attacks. Additional information can be found on QNAP’s security advisories page.
Related: Synology, QNAP, TrueNAS Address Vulnerabilities Exploited at Pwn2Own Ireland
Related: QNAP Rushes Patch for Code Execution Flaw in NAS Devices
Related: Raspberry Pi Removes Default User to Improve Security
Related: SonicWall Patches 6 Vulnerabilities in Secure Access Gateway
