CVE-2023-23363 & CVE-2023-23364: High-Severity Bugs Unveiled in QNAP’s QTS & Multimedia Console

In the era of cloud computing and digitized storage, keeping systems secured is paramount. But as technology advances, so do the tactics of cybercriminals. QNAP has released security updates to patch two critical vulnerabilities in its QTS operating system and Multimedia Console application. Both vulnerabilities could allow attackers to execute arbitrary code on affected devices, giving them complete control over the system.

CVE-2023-23363: Vulnerability in Legacy QTS

The first vulnerability, CVE-2023-23363, is a buffer overflow vulnerability in legacy versions of QTS. This vulnerability could be exploited by attackers to execute malicious code on affected devices.

QNAP was quick to recognize the issue and has already patched the vulnerability in the following versions:

• QTS 4.3.6.2441 build 20230621 and later
• QTS 4.3.4.2451 build 20230621 and later
• QTS 4.3.3.2420 build 20230621 and later
• QTS 4.2.6 build 20230621 and later

For those using the newer QTS versions 4.4.x, 4.5.x, and 5.x, take a sigh of relief; you are in the clear. Additionally, the QuTS hero remains unaffected.

Updating QTS

1. Log in to QTS as an administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   The system downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

CVE-2023-23364: Vulnerability in Multimedia Console

The second vulnerability, CVE-2023-23364, is a buffer overflow vulnerability in the Multimedia Console. This vulnerability could also be exploited by attackers to execute malicious code on affected devices.

The affected individuals can take comfort in knowing QNAP’s swift action has led to patches in the following versions:

• Multimedia Console 2.1.1 (2023/03/29) and later
• Multimedia Console 1.4.7 (2023/03/20) and later

Updating Multimedia Console

1. Log on to QTS as administrator.
2. Open the App Center and then click  .
   A search box appears.
3. Type “Multimedia Console” and then press ENTER.
   Multimedia Console appears in the search results.
4. Click Update.
   A confirmation message appears.
   Note: The Update button is not available if your version is already up to date.
5. Click OK.
   The application is updated.

Both of these vulnerabilities are high severity because they could allow attackers to execute arbitrary code on affected devices. This means that attackers could gain complete control over the device, install malware, steal data, or even launch attacks against other devices on the network.

It is important to update your QTS device and Multimedia Console application as soon as possible to patch these vulnerabilities.