www.belgium.be Logo of the federal government

WARNING: CRITICAL VULNERABILITIES IN SEVERAL QNAP NAS PRODUCTS

Reference: 
Advisory #2024-62
Affected software: 
QNAP (QTS 5.x & 4.5.x, QuTS hero h5.x & h4.5.x, QuTScloud c5.x, myQNAPcloud 1.0.x, myQNAPcloud Link 2.4.x)
Type: 
OS command injection, unauthorized access, improper authentication, SQL injection
CVE/CVSS: 
CVE-2024-32766:CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-32764:CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L)
CVE-2024-27124:CVSS 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVE-2024-21899:CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-21900:CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVE-2024-21901:CVSS 4.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L)

Sources

https://www.qnap.com/en/security-advisory/qsa-24-09

Risks

QNAP has published a critical security update for several of their NAS (network attached storage) systems. These vulnerabilities include OS command injection and unauthorized access, which can lead to entire system takeover. This has a high impact on Confidentiality, Integrity and Availability. Ransomware actors are known to target NAS devices for maximal impact.

Description

QNAP, in their security advisory, addresses multiple vulnerabilities:
 
CVE-2024-32766
This OS command injection vulnerability, with a CVSS of 10, can allow an attacker to execute commands via the network.
 
CVE-2024-32764
This vulnerability, with a CVSS of 9.9, can allow an attacker to execute a critical function through missing authentication and gain access and execute certain functions via the network.
 
CVE-2024-27124 
This OS command injection vulnerability, with a CVSS of 7.5, can allow an attacker to execute commands via the network.
 
CVE-2024-21899
This improper authentication vulnerability, with a CVSS of 9.8, can allow an attacker to compromise the security of the NAS system via the network.
 
CVE-2024-21900
This injection vulnerability, with a CVSS of 4.3, can allow an authenticated attacker to execute commands via the network.
 
CVE-2024-21901
This SQL injection vulnerability, with a CVSS of 4.7, can allow an authenticated attacker with administrative privileges to inject malicious code via the network.

Recommended Actions

Patch
 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The vulnerabilities have been fixed in the following versions according to vendor instructions:
  • QTS 5.1.3.2578 build 20231110 and later
  • QTS 4.5.4.2627 build 20231225 and later
  • QuTS hero h5.1.3.2578 build 20231110 and later
  • QuTS hero h4.5.4.2626 build 20231225 and later
  • QuTScloud c5.1.5.2651 and later
  • myQNAPcloud 1.0.52 (2023/11/24) and later 
  • myQNAPcloud Link 2.4.51 and later
Additional update instructions can also be found on the vendor advisory: https://www.qnap.com/en/security-advisory/qsa-24-09 
 
Monitor/Detect
 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.