QNAP Warns Ransom Threats And Provides Updates

NAS manufacturer QNAP is warning customers about critical vulnerabilities that allow attackers to inject and execute commands remotely. Various versions of the QTS operating system and applications on its NAS devices are affected.

The Risk Is High

Updates are already being distributed, so users should urgently check whether they are already up to date. The update is highly recommended – one of the vulnerabilities received a risk rating of 9.8 out of 10.

QNAP devices have been the target of large-scale ransomware attacks several times in the past. A year ago, the Deadbolt ransomware gang exploited a zero-day vulnerability to encrypt NAS devices that were freely accessible on the Internet.

In order to avoid major problems, the following updates are available:

The first vulnerability is known as CVE-2023-23368 and has a critical severity score of 9.8 out of 10. It is a vulnerability that an attacker could exploit to execute commands over a network. The QTS versions affected by the vulnerability are QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1.

Fixes are available in the following versions

  • QTS Build 20230421 and later
  • QTS Build 20230416 and later
  • QuTS hero h5.0.1.2376 Build 20230421 and later
  • QuTS hero h4.5.4.2374 Build 20230417 and later
  • QuTScloud c5.0.1.2374 and later

The second vulnerability is listed as CVE-2023-23369 and has a severity of 9.0. It could also be exploited by a remote attacker and have the same effect as the first.

The QTS versions 5.1.x, 4.3.6, 4.3.4, 4.3.3 and 4.2.x, Multimedia Console 2.1.x and 1.4.x as well as Media Streaming Add-on 500.1.x and 500.0.x are affected.

Fixes are available in

  • QTS Build 20230515 and later
  • QTS Build 20230621 and later
  • QTS Build 20230621 and later
  • QTS Build 20230621 and later
  • QTS 4.2.6 Build 20230621 and later
  • Multimedia Console 2.1.2 (2023/05/04) and later
  • Multimedia Console 1.4.8 (2023/05/05) and later
  • Media Streaming Add-on 500.1.1.2 (2023/06/12) and later
  • Media Streaming Add-in 500.0.0.11 (2023/06/16) and later

To update QTS, QuTS hero, or QuTScloud, you must log in as an administrator and navigate to Control Panel > System > Firmware Update. Click on “Check for update” under “Live Update” to download and install the latest version. Updates are also available as manual downloads from the QNAP website.

Leave a Reply