Other official information and services: www.belgium.be

WARNING: CRITICAL VULNERABILITY IN QNAP QTS, QUTS, AND QUTSCLOUD, PATCH IMMEDIATELY!

Reference:

Advisory #2024-38

Version:

1.0

Affected software:

QNAP QTS

QNAP QuTS

QNAP QuTScloud

Type:

Improper Authentication, Injection, SQL Injection

CVE/CVSS:

CVE-2024-21899: CVSS 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-21900: CVSS 4.3 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVE-2024-21901: CVSS 4.7 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L)

Date:

11/03/2024

Sources

https://www.qnap.com/en/security-advisory/qsa-24-09

Risks

QNAP fixed 3 vulnerabilities on 09/03/2024, including 1 critical vulnerability that could allow attackers to access the device without username and password.

NAS devices are a known target for ransomware attacks. Past ransomware operators previously attacking QNAP devices are Deadbolt, Checkmate, and Qlocker.

The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible. Analyse system and network logs for any suspicious activity. This report has instructions to help your organisation.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

Description

QNAP fixed 3 vulnerabilities on 09/03/2024, including 1 critical vulnerabilities that could allow attackers to access the device without username and password.

CVE-2024-21899: Improper authentication mechanisms allow unauthorised users to compromise the system's security through the network (remotely).

CVE-2024-21900: This vulnerability could allow authenticated users to execute arbitrary commands on the system via a network, potentially leading to unauthorised system access or control.

CVE-2024-21901: This flaw could enable authenticated administrators to inject malicious SQL code through the network, potentially compromising the database integrity and manipulating its contents.

QNAP has released software patches that address these vulnerabilities.

Recommended Actions

Patch

The Centre for Cyber Security Belgium strongly recommends installing updates for vulnerable software with the highest priority, after thorough testing.

The latest version of the involved product can be found on their website: https://www.qnap.com/en/security-advisory/qsa-24-09

Monitor/Detect

The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://www.qnap.com/en/security-advisory/qsa-24-09

https://www.bleepingcomputer.com/news/security/qnap-warns-of-critical-au...