Description:
QNAP has published security advisories to address multiple vulnerabilities in QNAP products. The details of security updates can be found at:
https://www.qnap.com/en/security-advisory/QSA-23-12
https://www.qnap.com/en/security-advisory/QSA-23-25
https://www.qnap.com/en/security-advisory/QSA-23-29
Affected Systems:
- QNAP NAS devices running QTS operating system versions prior to 4.3.3.2420 build 20230621, 4.3.4.2451 build 20230621, 4.3.6.2441 build 20230621, 5.1.0.2348 build 20230325
- QNAP NAS devices running QuTS hero operating system versions prior to h5.1.0.2392 build 20230508
- QNAP NAS devices running QuTScloud version prior to c5.0.1.2374
- QNAP NAS devices running Multimedia Console version prior to 1.4.7, Multimedia Console version prior to 2.1.1
For detailed information of the affected products, please refer to the corresponding security advisory at vendor's website.
Impact:
Successful exploitation of the vulnerabilities could lead to arbitrary code execution or tampering on an affected system.
Recommendation:
Patches for affected products are available. System administrators of affected products should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
More Information:
- https://www.qnap.com/en/security-advisory/QSA-23-12
- https://www.qnap.com/en/security-advisory/QSA-23-25
- https://www.qnap.com/en/security-advisory/QSA-23-29
- https://www.hkcert.org/security-bulletin/qnap-nas-multiple-vulnerabilities_20230925
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-20001
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36760
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37436
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23363 (to CVE-2023-23364)