Warning: 2 critical command injection vulnerabilities impact multiple versions of the QNAP QTS operating system and applications on its network-attached storage (NAS) devices. Patch Immediately!
CVE-2023-23368: CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-23369: CVSS 9.0(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
QNAP Systems published security advisories for two critical command injection vulnerabilities that impact multiple versions of the QTS operating system and applications on its network-attached storage (NAS) devices.
The first flaw is being tracked as CVE-2023-23368 and has a critical severity rating of 9.8 out of 10. It is a command injection vulnerability that a remote attacker can exploit to execute commands via a network.
The second vulnerability is identified as CVE-2023-23369 and has a lower severity rating of 9.0 and could also be exploited by a remote attacker to the same effect as the previous one.
Both the vulnerabilities have a HIGH Impact on Confidentiality, Integrity, and Availability. No user Interaction Is required to exploit these vulnerabilities.
The two vulnerabilities (CVE-2023-23368 and CVE-2023-23369) affects several QNAP operating systems versions. When exploited, the vulnerabilities could allow users to execute commands via a network.
Since the QNAP operating system Is used on NAS devices that are typically used to store data, command execution flaws could have a serious impact as cybercriminals are often looking for new targets to steal and/or encrypt sensitive data from.
The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:
For CVE-2023-23368, fixes are available in the following releases:
- QTS 188.8.131.526 build 20230421 and later
- QTS 184.108.40.2064 build 20230416 and later
- QuTS hero h220.127.116.116 build 20230421 and later
- QuTS hero h18.104.22.1684 build 20230417 and later
- QuTScloud c22.214.171.1244 and later
For CVE-2023-23369, fixes are available in the following releases:
- QTS 126.96.36.1999 build 20230515 and later
- QTS 188.8.131.521 build 20230621 and later
- QTS 184.108.40.2061 build 20230621 and later
- QTS 220.127.116.110 build 20230621 and later
- QTS 4.2.6 build 20230621 and later
- Multimedia Console 2.1.2 (2023/05/04) and later
- Multimedia Console 1.4.8 (2023/05/05) and later
- Media Streaming add-on 500.1.1.2 (2023/06/12) and later
- Media Streaming add-on 500.0.0.11 (2023/06/16) and later