Network and software solutions provider QNAP, whose customers include trusted IT service providers like Accenture, Cognizant, and Infosys, is urging customers to apply fixes for a few critical severity bugs affecting its Network Attached Storage (NAS) and router services.The flaws, which include a mix of missing authentication and OS command injection bugs, could allow remote attackers to execute arbitrary commands on affected systems.”Multiple vulnerabilities have been reported to affect Notes Station 3 and QuRouter,” QNAP said in separate security advisories published over the weekend. “To fix the vulnerabilities, we recommend updating Notes Station 3, (and the QuRouter firmware) to the latest versions. Tracked as CVE-2024-38643, a missing authentication for critical function vulnerability in QNAP’s note-taking and collaboration application for its NAS devices, Notes Station 3, could provide a remote attacker unauthorized access into the vulnerable systems.The vulnerability, which has received a CVSS v3 severity rating of 9.8 out of 10, affects Notes Station 3 versions 3.9.x, and has been fixed in versions 3.9.7 and later. Other than the IT service providers, QNAP’s NAS services are used by a number of organizations in the media and entertainment, healthcare, and education segments for their trusted data storage hardware.Affecting the same versions of the application is another server-side request forgery (SSRF) flaw, tracked as CVE-2024-38645, allowing remote actors with compromised access through CVE-2024-38643 to read full application data. The flaw carries a CVSS v4 rating of 9.4/10.Shared as part of the same advisory, CVE-2024-38644 is a command-injection vulnerability that can allow remote actors with the same access to execute arbitrary codes on vulnerable systems. The flaw has been assigned a high severity (CVSS v3 score 8.8/10) rating, but together with the other two flaws the attacker could gain full system takeover, making them a critical set of Note Station 3 bugs that need to be fixed right away.
Router system suffers critical code injection loophole
In a separate advisory published around the same time, QNAP warned its customers of a critical flaw affecting its line of networking devices QuRouter.QuRouter is a series of networking devices and a dedicated operating system (QuRouter OS) designed for managing QNAP’s high-performance routers. It offers network management, security, and performance optimization features, catering to both home users and businesses.Tracked as CVE-2024-48860, the flaw is a QuRouterOS command injection vulnerability allowing remote attackers to execute commands on the host system. The bug has received a critical CVSS v3 rating of 9.8.The flaw impacts QuRouter versions 2.4.x and has been fixed in QuRouter 2.4.3.106 and later, said the QNAP’s advisory. Another vulnerability affecting the same versions of QNAP QuRouter, tracked as CVE-2024-48861, was indicated to be allowing local attackers to execute commands on vulnerable systems, receiving a high severity rating of 7.8.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3612908/qnap-fixes-critical-security-holes-in-its-networking-solutions.html
