CVE-2024-32766 (CVSS 10) – QNAP Vulnerability: Hackers Can Hijack Your NAS

CVE-2024-27124

QNAP, a leading manufacturer of network attached storage (NAS) devices, has issued an urgent security advisory to its users concerning multiple severe vulnerabilities across its suite of NAS software products. These flaws, if exploited, could enable attackers to perform unauthorized actions such as bypassing authentication mechanisms and executing commands remotely.

The Vulnerabilities

Three main vulnerabilities have been identified and given CVE designations:

  • CVE-2024-27124 (CVSS 7.5) & CVE-2024-32766 (CVSS 10): These flaws focus on OS command injection, a technique where attackers can send malicious commands to a vulnerable system, allowing them to run arbitrary code. This could lead to data theft, installation of malware, or a complete NAS takeover.
  • CVE-2024-32764 (CVSS 9.9): A dangerous flaw permitting unauthorized access to critical functions within the myQNAPcloud Link service.

The Dangers of NAS Exploitation

NAS devices are often overlooked in terms of cybersecurity, but they pose a significant risk when compromised:

  • Data Sensitivity: NAS devices house anything from personal photos and documents to business plans and customer databases. This data is a goldmine for cybercriminals.
  • Ransomware Haven: Attackers often target NAS devices to install ransomware, locking owners out of their data until a ransom is paid.
  • Attack Launchpads: A compromised NAS can be used as a base to launch attacks against other devices on the same network, furthering damage.

Take Action Now: Update and Protect

QNAP urges all users to update their devices immediately to the following versions, which contain the necessary security patches:

  • QTS 5.1.3.2578 build 20231110 and later
  • QTS 4.5.4.2627 build 20231225 and later
  • QuTS hero h5.1.3.2578 build 20231110 and later
  • QuTS hero h4.5.4.2626 build 20231225 and later
  • QuTScloud c5.1.5.2651 and later
  • myQNAPcloud 1.0.52 (2023/11/24) and later
  • myQNAPcloud Link 2.4.51 and later

Beyond Updates: Best Practices for NAS Security

  • Strong Passwords: Avoid weak or default passwords.
  • Regular Updates: Keep NAS software current with the latest security patches.
  • Limit Internet Exposure: If possible, avoid directly connecting your NAS to the internet. Use a VPN for remote access.
  • Regular Backups: Create offline backups of your most critical data as a last line of defense.