ClickCease QNAP Patches: Medium Severity Flaws in OTS QuTS Fixed

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

QNAP Patches: Medium Severity Flaws in OTS QuTS Fixed

by Wajahat Raja

June 4, 2024 - TuxCare expert team

In recent updates, QNAP, a prominent Taiwanese company specializing in network-attached storage (NAS) solutions, has diligently addressed several vulnerabilities within its QTS and QuTS hero operating systems. These QNAP patches are crucial for safeguarding NAS appliances against potential cybersecurity threats, reinforcing the company’s commitment to user safety and product integrity.

 

OTS QuTS Vulnerabilities


The vulnerabilities, affecting versions QTS 5.1.x and QuTS hero h5.1.x, encompass a range of medium-severity issues. These include:

 

  • CVE-2024-21902: Incorrect permission assignment vulnerability, potentially allowing unauthorized access to critical resources.
  • CVE-2024-27127: Double free vulnerability, opening avenues for executing arbitrary code.


Timely Fixes – QNAP Patches


Acknowledging the critical nature of these
exploitable flaws, QNAP swiftly rolled out QNAP patches with builds QTS 5.1.7.2770 and QuTS hero h5.1.7.2770. These firmware updates, released on May 20, 2024, effectively mitigate the identified vulnerabilities. The discovery and reporting of these flaws by Aliz Hammond of WatchTowr Labs underscore the collaborative efforts between security researchers and industry players to uphold system integrity.


QNAP Patches: Vulnerability Details


One noteworthy vulnerability, CVE-2024-27130, highlighted the unsafe use of the ‘strcpy’ function within the share.cgi script, potentially exploited through the ‘ssid’ parameter. While QNAP
network-attached storage security devices employ Address Space Layout Randomization (ASLR) in QTS 4.x and 5.x versions, mitigating exploitation risks, prompt installation of patches remains imperative.


Addressing Past Concerns


This proactive approach follows a prior disclosure by a cybersecurity firm, detailing 15 vulnerabilities, including authentication bypass and code execution risks. QNAP promptly resolved these issues on April 25, 2024, in response to community concerns.


Ongoing Improvements


Despite these efforts, challenges persist, as seen in the delayed resolution of CVE-2024-27131, identified as a UI specification issue within the QuLog Center. QNAP is actively working to address this in the forthcoming QTS 5.2.0 release, underscoring its commitment to comprehensive
firmware security enhancements.


Cyber Attack Prevention


The collaborative dynamics between QNAP and the cybersecurity community play a pivotal role in fortifying product security. WatchTowr Labs, in its commitment to transparency and accountability, publicly disclosed identified
system vulnerabilities after extended coordination periods, urging timely remediation.


Threat Mitigation


In
response to coordination challenges, QNAP expressed regret and outlined a revised time frame for vulnerability resolution. Moving forward, the company pledges to address high- or critical-severity vulnerabilities within 45 days, with medium-severity issues resolved within 90 days. This proactive stance reflects QNAP’s dedication to enhancing security best practices and fostering a safer digital ecosystem for users worldwide.


User Recommendations – Vulnerability Patching


Ensuring robust
data protection is paramount in today’s digital landscape. Given the potential ramifications of NAS vulnerabilities, users are strongly advised to update their systems promptly. By installing the latest QTS and QuTS hero versions, users can proactively mitigate data breach risks and ensure NAS device security.


Conclusion


In conclusion, QNAP’s swift response to identified vulnerabilities underscores its unwavering commitment to user security and product excellence. Through collaborative engagement with cybersecurity experts and timely patch releases, QNAP strives to uphold the highest standards of security in its NAS solutions, empowering users to navigate the digital landscape with confidence and peace of mind. Staying informed about
QNAP security updates as well as implementing robust cybersecurity measures is crucial for maintaining the integrity of your NAS system.

The sources for this piece include articles in The Hacker News and Decipher.

Summary
QNAP Patches: Medium Severity Flaws in OTS QuTS Fixed
Article Name
QNAP Patches: Medium Severity Flaws in OTS QuTS Fixed
Description
Stay secure with the latest QNAP patches for multiple flaws in OTS QuTS. Expert insights from Tux Care ensure your NAS stays protected.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!