CVE-2024-21899 (CVSS 9.8): Critical QNAP Flaw Opens Door to Hackers

QNAP has issued a critical security advisory regarding multiple vulnerabilities impacting their NAS software solutions. These vulnerabilities, if left unaddressed, could provide attackers with various avenues for compromising affected devices.

What’s the Risk?

The discovered vulnerabilities range in severity, with the most concerning being what’s known as an authentication bypass flaw (CVE-2024-21899). This bug means attackers can slither into your NAS without needing a username or password. Other loopholes could allow hackers to take command of your device, manipulate your database, or insert malicious code designed for further attacks.

Vulnerability Summary

• CVE-2024-21899 (CVSS 9.8): An authentication bypass vulnerability that could allow unauthorized remote access to the NAS device. Notably, this flaw requires minimal effort to exploit.
• CVE-2024-21900 (CVSS 4.3): A command injection vulnerability enabling authenticated users to execute arbitrary commands.
• CVE-2024-21901 (CVSS 4.7): An SQL injection vulnerability that could allow authenticated users to compromise the integrity of the device’s database.
• CVE-2023-32969 (CVSS 4.9): A cross-site scripting (XSS) vulnerability impacting Network & Virtual Switch. Successful exploitation could allow authenticated administrators to execute malicious code.

Affected Systems

The vulnerabilities impact a range of QNAP operating systems, including:

• QTS 5.1.x
• QTS 4.5.x
• QuTS hero h5.1.x
• QuTS hero h4.5.x
• QuTScloud c5.x
• myQNAPcloud 1.0.x service

Recommendations

QNAP strongly urges immediate updates to the following patched versions:

• QTS 5.1.3.2578 build 20231110 and later
• QTS 4.5.4.2627 build 20231225 and later
• QuTS hero h5.1.3.2578 build 20231110 and later
• QuTS hero h4.5.4.2626 build 20231225 and later
• QuTScloud c5.1.5.2651 and later
• myQNAPcloud 1.0.52 (2023/11/24) and later

Upgrading is straightforward for those in command of their digital domains. For QTS, QuTS hero, and QuTScloud, administrators are guided to the ‘Control Panel > System > Firmware Update‘ pathway to initiate the auto-update process. Meanwhile, myQNAPcloud users can navigate through the ‘App Center‘ to find and update their software.

NAS Devices as Security Targets

The sensitive data typically stored on NAS devices presents a lucrative target for malicious actors. As these devices are often less rigorously monitored and may be running outdated software, organizations and individuals employing QNAP products must prioritize security updates to mitigate potential security risks.