Warning: 2 critical command injection vulnerabilities impact multiple versions of the QNAP QTS operating system and applications on its network-attached storage (NAS) devices. Patch Immediately!
CVE-2023-23368: CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-23369: CVSS 9.0(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
https://nvd.nist.gov/vuln/detail/CVE-2023-23368
https://nvd.nist.gov/vuln/detail/CVE-2023-23369
Risks
QNAP Systems published security advisories for two critical command injection vulnerabilities that impact multiple versions of the QTS operating system and applications on its network-attached storage (NAS) devices.
The first flaw is being tracked as CVE-2023-23368 and has a critical severity rating of 9.8 out of 10. It is a command injection vulnerability that a remote attacker can exploit to execute commands via a network.
The second vulnerability is identified as CVE-2023-23369 and has a lower severity rating of 9.0 and could also be exploited by a remote attacker to the same effect as the previous one.
Both the vulnerabilities have a HIGH Impact on Confidentiality, Integrity, and Availability. No user Interaction Is required to exploit these vulnerabilities.
Description
The two vulnerabilities (CVE-2023-23368 and CVE-2023-23369) affects several QNAP operating systems versions. When exploited, the vulnerabilities could allow users to execute commands via a network.
Since the QNAP operating system Is used on NAS devices that are typically used to store data, command execution flaws could have a serious impact as cybercriminals are often looking for new targets to steal and/or encrypt sensitive data from.
Recommended Actions
The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:
For CVE-2023-23368, fixes are available in the following releases:
- QTS 5.0.1.2376 build 20230421 and later
- QTS 4.5.4.2374 build 20230416 and later
- QuTS hero h5.0.1.2376 build 20230421 and later
- QuTS hero h4.5.4.2374 build 20230417 and later
- QuTScloud c5.0.1.2374 and later
For CVE-2023-23369, fixes are available in the following releases:
- QTS 5.1.0.2399 build 20230515 and later
- QTS 4.3.6.2441 build 20230621 and later
- QTS 4.3.4.2451 build 20230621 and later
- QTS 4.3.3.2420 build 20230621 and later
- QTS 4.2.6 build 20230621 and later
- Multimedia Console 2.1.2 (2023/05/04) and later
- Multimedia Console 1.4.8 (2023/05/05) and later
- Media Streaming add-on 500.1.1.2 (2023/06/12) and later
- Media Streaming add-on 500.0.0.11 (2023/06/16) and later
References
https://www.bleepingcomputer.com/news/security/qnap-warns-of-critical-command-injection-flaws-in-qts-os-apps/
https://therecord.media/qnap-urgently-fixing-vulnerabilities-in-systems