Description:
QNAP has published security advisories to address multiple vulnerabilities in QNAP products. The list of security updates can be found at:
https://www.qnap.com/en/security-advisory/QSA-23-07
https://www.qnap.com/en/security-advisory/QSA-23-20
https://www.qnap.com/en/security-advisory/QSA-23-40
https://www.qnap.com/en/security-advisory/QSA-23-48
Affected Systems:
- QNAP NAS devices running QTS operating system versions prior to 4.5.4.2467 build 20230718, 5.0.1.2514 build 20230906, 5.1.3.2578 build 20231110
- QNAP NAS devices running QuTS hero operating system versions prior to h4.5.4.2476 build 20230728, h5.0.1.2515 build 20230907, h5.1.3.2578 build 20231110
- QNAP VioStor NVR models running QVR firmware versions 4.x
For detailed information of the affected products, please refer to the corresponding security advisory at vendor's website.
Impact:
Successful exploitation of the vulnerabilities could lead to remote code execution, denial of service, information disclosure, spoofing or tampering on an affected system.
Recommendation:
Patches for affected products are available. System administrators of affected products should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
More Information:
- https://www.qnap.com/en/security-advisory/QSA-23-07
- https://www.qnap.com/en/security-advisory/QSA-23-20
- https://www.qnap.com/en/security-advisory/QSA-23-40
- https://www.qnap.com/en/security-advisory/QSA-23-48
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3961
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4091
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4154
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23372
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32968
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32975
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42669 (to CVE-2023-42670)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47565