{"id":968,"date":"2024-11-26T11:14:50","date_gmt":"2024-11-26T11:14:50","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=968"},"modified":"2024-11-26T11:14:50","modified_gmt":"2024-11-26T11:14:50","slug":"qnap-fixes-critical-security-holes-in-its-networking-solutions","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=968","title":{"rendered":"QNAP fixes critical security holes in its networking solutions"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Network and software solutions provider QNAP \u2014 whose customers include trusted IT service providers like Accenture, Cognizant, and Infosys \u2014 is urging customers to apply fixes for a few critical severity bugs affecting its Network Attached Storage (NAS) and router services.<\/p>\n

The flaws, which include a mix of missing authentication and OS command injection bugs, could allow remote attackers to execute arbitrary commands on affected systems.<\/p>\n

\u201cMultiple vulnerabilities have been reported to affect Notes Station 3 and QuRouter,\u201d QNAP said in separate security advisories published over the weekend. \u201cTo fix the vulnerabilities, we recommend updating Notes Station 3, (and the QuRouter firmware) to the latest versions.<\/p>\n

<\/a>Critical NAS read and code execution vulnerabilities<\/h2>\n

Tracked as CVE-2024-38643, a missing authentication for critical function vulnerability in QNAP\u2019s note-taking and collaboration application for its NAS devices, Notes Station 3, could provide a remote attacker unauthorized access into the vulnerable systems.<\/p>\n

The vulnerability, which has received a CVSS v3 severity rating of 9.8 out of 10, affects Notes Station 3 versions 3.9.x, and has been fixed in versions 3.9.7 and later. Other than the IT service providers, QNAP\u2019s NAS services are used by a number of organizations in the media and entertainment, healthcare, and education segments for their trusted data storage hardware.<\/p>\n

Affecting the same versions of the application is another server-side request forgery (SSRF<\/a>) flaw, tracked as CVE-2024-38645, allowing remote actors with compromised access through CVE-2024-38643 to read full application data. The flaw carries a CVSS v4 rating of 9.4\/10.<\/p>\n

Shared as part of the same advisory,<\/a> CVE-2024-38644 is a command-injection vulnerability that can allow remote actors with the same access to execute arbitrary codes on vulnerable systems. The flaw has been assigned a high severity (CVSS v3 score 8.8\/10) rating, but together with the other two flaws the attacker could gain full system takeover, making them a critical set of Note Station 3 bugs that need to be fixed right away.<\/p>\n

<\/a>Router system suffers critical code injection loophole<\/h2>\n

In a separate advisory published around the same time, QNAP warned its customers of a critical flaw affecting its line of networking devices QuRouter.<\/p>\n

QuRouter is a series of networking devices and a dedicated operating system (QuRouter OS) designed for managing QNAP\u2019s high-performance routers. It offers network management, security, and performance optimization features, catering to both home users and businesses.<\/p>\n

Tracked as CVE-2024-48860<\/a>, the flaw is a QuRouterOS command injection vulnerability allowing remote attackers to execute commands on the host system. The bug has received a critical CVSS v3 rating of 9.8.<\/p>\n

The flaw impacts QuRouter versions 2.4.x and has been fixed in QuRouter 2.4.3.106 and later, said the QNAP\u2019s advisory<\/a>. Another vulnerability affecting the same versions of QNAP QuRouter, tracked as CVE-2024-48861, was indicated to be allowing local attackers to execute commands on vulnerable systems, receiving a high severity rating of 7.8.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Network and software solutions provider QNAP \u2014 whose customers include trusted IT service providers like Accenture, Cognizant, and Infosys \u2014 is urging customers to apply fixes for a few critical severity bugs affecting its Network Attached Storage (NAS) and router services. The flaws, which include a mix of missing authentication and OS command injection bugs, […]<\/p>\n","protected":false},"author":0,"featured_media":969,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-968","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/968"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=968"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/968\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/969"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=968"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}