QNAP has warned customers to install firmware updates that fix five security vulnerabilities affecting its NAS devices. These vulnerabilities could allow attackers to execute commands, launch denial-of-service attacks.
CVE-2023-23362 : QNAP discovered an OS command injection vulnerability of high severity. When exploited, this vulnerability grants authenticated users the capability to execute commands over the network.
Affected Versions are given below:
- QTS 5.0.1.2376 build 20230421 and later
- QTS 4.5.4.2374 build 20230416 and later
- QuTS hero h5.0.1.2376 build 20230421 and later
- QuTS hero h4.5.4.2374 build 20230417 and later
- QuTScloud c5.0.1.2374 and later
CVE-2023-23358 & CVE-2023-23359: QNAP uncovered two out-of-bounds write vulnerabilities. Once exploited, these allow authenticated users to initiate a DoS attack over the network.
CVE-2023-23360 & CVE-2023-23361: QNAP has discovered two NULL pointer dereference vulnerabilities have also been reported, again potentially leading to DoS attacks via the network.
Versions Affected by DoS Vulnerabilities:
- QTS 5.0.1.2346 build 20230322 and later
- QTS 4.5.4.2374 build 20230416 and later
- QuTS hero h5.0.1.2348 build 20230324 and later
- QuTS hero h4.5.4.2374 build 20230417 and later
- QuTScloud c5.0.1.2374 and later
QNAP strongly advises its customers for timely system updates, ensuring you reap the benefits of vulnerability fixes.
