QNAP: critical intervention to resolve security flaws in NAS

Contribute to spreading the culture of prevention!
Support our cause with a small donation by helping us raise awareness among users and companies about cyber threats and defense solutions.

QNAP Systems has released security alerts highlighting two relevant command injection vulnerabilities, affecting multiple versions of QTS, QuTS hero and QuTScloud firmware on its network-attached storage (NAS) devices. Cyber security analyst Pierluigi Paganini highlighted the seriousness of the threats that these flaws represent.

Identification and risk of security flaws

Identified with the code CVE-2023-23368, the first vulnerability obtains a score of 9.8, classifying it among the critical risk issues. A malicious user can exploit this flaw to execute unauthorized commands over the network. The second vulnerability, marked CVE-2023-23369 and with a severity score of 9.0, poses a similarly high risk.

Corrective measures for QNAP NAS

It is a priority for users of affected QNAP NAS devices to promptly apply security updates provided by the company. These updates are essential to preclude attack by malicious agents who have previously conducted malware campaigns aimed at exploiting outdated firmware versions of QNAP NAS.

Update information and procedures

Network administrators should check the device management interface, under the firmware update section, for the availability of new releases and proceed to download and install the most updated versions to mitigate the risk. The Multimedia Console and Media Streaming add-on components also need to be checked and updated via the device's App center. Finally, experts suggest avoiding paying ransoms in the event of attacks, as this does not guarantee resolution of the data compromise.