QNAP Issues Security Updates Addressing Vulnerabilities in NAS Systems
Taiwanese technology firm QNAP has announced significant updates to address multiple medium-severity vulnerabilities affecting its QTS and QuTS hero operating systems. Some of these vulnerabilities could potentially allow malicious actors to execute arbitrary code on QNAP network-attached storage (NAS) devices, raising security concerns for users reliant on these systems for data storage and sharing.
The vulnerabilities, identified as CVE-2024-21902, CVE-2024-27127, and a series of buffer overflow flaws denoted as CVE-2024-27128, CVE-2024-27129, and CVE-2024-27130, impact versions QTS 5.1.x and QuTS hero h5.1.x. CVE-2024-21902 centers on improper permission assignments that could be exploited by authenticated users to inappropriately access or modify critical resources over the network. The double-free vulnerability related to CVE-2024-27127 presents a similar risk, enabling code execution by authenticated users. Furthermore, the buffer overflow vulnerabilities raise alarms as they may also permit code execution under certain conditions.
Remediation for these flaws has been initiated in builds QTS 5.1.7.2770 and QuTS hero h5.1.7.2770, addressing the risks while ensuring that only valid accounts on the NAS devices are implicated. Researcher Aliz Hammond from watchTowr Labs is credited with uncovering and reporting these vulnerabilities on January 3, 2024, bolstering the importance of proactive vulnerability disclosure in enhancing cybersecurity.
In a statement, QNAP detailed that the distinct buffer overflow vulnerability linked to CVE-2024-27130 stems from inappropriate usage of the ‘strcpy’ function within a specific sharing request script. This vulnerability necessitates a valid ‘ssid’ parameter, which an attacker could leverage to carry out the exploit during file sharing operations. QNAP reassured users that despite this vulnerability’s nature, the implementation of Address Space Layout Randomization (ASLR) in both QTS 4.x and 5.x versions complicates the exploitation process.
The latest patches from QNAP were rolled out shortly after a prior disclosure concerning 15 critical vulnerabilities, including multiple flaws that risked authentication bypasses and arbitrary code execution. However, there remains concern regarding CVE-2024-27131, a potential issue described as "Log spoofing via x-forwarded-for." QNAP contends that this particular item results from design choices rather than presenting an actual vulnerability and plans to remedy it in the next major release.
QNAP’s history of vulnerabilities exploited by ransomware attackers has heightened urgency among users, urging them to promptly adopt the latest updates to mitigate possible threats. The overarching theme of this incident underscores the necessity for companies like QNAP to enhance their security protocols, particularly given their extensive client base and reliance on these systems for critical data management.
WatchTowr Labs took to public channels to disclose these vulnerabilities after QNAP exceeded the standard 90-day disclosure timeframe, despite multiple extensions granted for remediation efforts. QNAP expressed regret over these coordination issues, affirming a commitment to resolving high- and critical-severity vulnerabilities within a window of 45 days, while pledging that medium-severity flaws would be addressed within 90 days.
For business owners utilizing QNAP products, these developments serve as a stark reminder of the evolving cybersecurity landscape, necessitating vigilance and proactive measures to safeguard organizational data assets against potential exploitation. The timely application of security updates, informed by the latest threat disclosures, remains crucial in defending against the risks posed by identified vulnerabilities.
