Qnap publishes NAS updates and deactivates an app for security reasons

Share your love

Due to several security gaps, attackers could target Qnap NAS systems and execute malicious code after successful attacks. Since a security update is not yet available, the developers have temporarily removed an app.

The most dangerous are two with the threat level “high“classified malicious code gaps in the QTS and QuTS hero operating systems and Multimedia Console. The weak point in the systems can be traced back to the Apple File Protocol (AFP). This is where attackers could come in and execute malicious code when a memory error (heap-based buffer overflow) is triggered. It is currently not known what an attack might look like.

According to the developers, however, the following versions are protected:

  • QTS 5.0.0.1808 build 20211001
  • QTS 4.5.4.1800 build 20210923
  • QTS 4.3.6.1831 build 20211019
  • QTS 4.3.3.1799 build 20211008
  • QuTS hero h5.0.0.1844 build 20211105
  • QuTS hero h4.5.4.1813 build 20211006

The multimedia console vulnerability (CVE-202138684) can also act as a loophole for malicious code. Here, too, no details on attack scenarios are known. Qnap has released the fixed editions 1.4.3 (2021/10/05) and 1.5.3 (2021/10/05).

The loophole (CVE-2021-34358 “middle“) in QmailAgent could serve as a starting point for a CSFR attack. QmailAgent provides a remedy from 3.0.2 (2021/08/25). For the vulnerability (CVE-2021-38681 “middle“) in Ragic Cloud DB there is no security update yet. As a result, Qnap has temporarily removed the application from the App Center until a patch is available.


(from)

Article Source

Read Also   Virtualization: The SPEC's new benchmark
Share your love