CVE-2022-27595 & CVE-2022-27600: Two high-severity flaws in QVPN and QNAP Systems

CVE-2022-27595 - CVE-2024-48860 & CVE-2024-48861

QNAP has recently released security advisories for two vulnerabilities that affect the QVPN Device Client for Windows and multiple QNAP operating systems. These vulnerabilities are rated High severity, meaning they could be exploited to gain unauthorized access to your device or network.

CVE-2022-27595: QVPN Device Client for Windows

CVE-2022-27595 is a major security vulnerability in the QVPN Device Client for Windows. This insecurity is rooted in library loading and is classified as a high-risk issue due to its ability to allow authenticated users to execute code maliciously. In layman’s terms, this vulnerability is akin to leaving your house key under the welcome mat: anyone who knows where to look can gain unauthorized access.

Although this issue is severe, it is critical to note that only the Windows versions of the QVPN Device Client are affected. The macOS, Android, and iOS versions of the software are not vulnerable to this issue. Furthermore, QNAP has released a fix for this vulnerability in version 2.0.0.1316 and subsequent releases.

To stay safe from such vulnerabilities, ensure that you update your QNAP utilities regularly. Doing so will equip your device with the latest defenses against these vulnerabilities. Keep an eye on the QNAP Utilities page for the latest updates and stay ahead of the curve.

CVE-2022-27600: Multiple QNAP Operating Systems

The CVE-2022-27600 vulnerability threatens multiple QNAP operating systems, including QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances). This high-severity issue allows for uncontrolled resource consumption, leading to potential denial-of-service (DoS) attacks by remote users. Imagine a horde of invisible invaders, overwhelming your system’s resources until it can no longer function – this is the reality of a DoS attack.

The good news is that this vulnerability has been addressed in the following software versions:

– QTS: From version 5.0.1.2277 build 20230112 and later
– QuTS hero: From versions h5.0.1.2277 build 20230112 and h4.5.4.2374 build 20230417
– QuTScloud: From version c5.0.1.2374 build 20230419
– QVR Pro Appliance: From version 2.3.1.0476

It is highly recommended that you regularly update your system to the latest version to enjoy the benefits of these security patches.

Updating QTS, QuTS hero, or QuTScloud

  1. Log in to QTS, QuTS hero, or QuTScloud as an administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    The system downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Updating QVP (QVR Pro Appliances)

  1. Log in to QVP as an administrator.
  2. Go to Control Panel > System Settings > Firmware Update.
  3. Select the Firmware Update tab.
  4. Click Browse… to upload the latest firmware file.
    Tip: Download the latest firmware file for your specific device from https://www.qnap.com/go/download.
  5. Click Update System.
    The system installs the update.

Whether you are using QVPN for Windows or one of the QNAP operating systems, staying informed about potential vulnerabilities and updates is key to maintaining a secure environment. By regularly updating your systems, you’ll stay one step ahead of the cyber threats, ensuring your data and devices remain safe and secure.