[ad_1]
QNAP has launched safety updates to handle two important safety flaws impacting its working system that might lead to arbitrary code execution.
Tracked as CVE-2023-23368 (CVSS rating: 9.8), the vulnerability is described as a command injection bug affecting QTS, QuTS hero, and QuTScloud.
“If exploited, the vulnerability might permit distant attackers to execute instructions by way of a community,” the corporate stated in an advisory revealed over the weekend.
The shortcoming spans the beneath variations –
- QTS 5.0.x (Fastened in QTS 5.0.1.2376 construct 20230421 and later)
- QTS 4.5.x (Fastened in QTS 4.5.4.2374 construct 20230416 and later)
- QuTS hero h5.0.x (Fastened in QuTS hero h5.0.1.2376 construct 20230421 and later)
- QuTS hero h4.5.x (Fastened in QuTS hero h4.5.4.2374 construct 20230417 and later)
- QuTScloud c5.0.x (Fastened in QuTScloud c5.0.1.2374 and later)
Additionally mounted by QNAP is one other command injection flaw in QTS, Multimedia Console, and Media Streaming add-on (CVE-2023-23369, CVSS rating: 9.0) that might permit distant attackers to execute instructions by way of a community.
The next variations of the software program are impacted –
- QTS 5.1.x (Fastened in QTS 5.1.0.2399 construct 20230515 and later)
- QTS 4.3.6 (Fastened in QTS 4.3.6.2441 construct 20230621 and later)
- QTS 4.3.4 (Fastened in QTS 4.3.4.2451 construct 20230621 and later)
- QTS 4.3.3 (Fastened in QTS 4.3.3.2420 construct 20230621 and later)
- QTS 4.2.x (Fastened in QTS 4.2.6 construct 20230621 and later)
- Multimedia Console 2.1.x (Fastened in Multimedia Console 2.1.2 (2023/05/04) and later)
- Multimedia Console 1.4.x (Fastened in Multimedia Console 1.4.8 (2023/05/05) and later)
- Media Streaming add-on 500.1.x (Fastened in Media Streaming add-on 500.1.1.2 (2023/06/12) and later)
- Media Streaming add-on 500.0.x (Fastened in Media Streaming add-on 500.0.0.11 (2023/06/16) and later)
With QNAP gadgets exploited for ransomware assaults prior to now, customers operating one of many aforementioned variations are urged to replace to the most recent model to mitigate potential threats.
The event comes weeks after the Taiwanese firm disclosed it took down a malicious server utilized in widespread brute-force assaults concentrating on internet-exposed network-attached storage (NAS) gadgets with weak passwords.
[ad_2]