In context: Network-attached storage (NAS) devices manufactured by QNAP are popular for file sharing, virtualization, surveillance, and storage management applications. The corporation is also well-known for its buggy NAS firmware releases, with some issues bringing significant vulnerabilities to the networks attached to those devices.
Taiwan-based NAS manufacturer QNAP urges device owners to perform firmware updates as soon as possible because cyber-criminals could easily compromise them thanks to a newly discovered critical security vulnerability. The flaw is part of three recently unveiled bugs that developers have already patched in the company's many Linux-based network and cloud applications operating systems.
A security bulletin (QSA-24-09) lists multiple flaws affecting "certain" operating system versions. The most severe issue (CVE-2024-21899) concerns an improper authentication vulnerability that could allow malicious users to compromise NAS security through a network. The NIST database lists the security hole with a "critical" score of 9.8, noting that skilled (and motivated) cyber-criminals could easily exploit the bug.
Other flaws in QNAP's software include an injection vulnerability (CVE-2024-21900) that could allow authenticated users to execute commands through a network and an SQL injection vulnerability (CVE-2024-21901) that could permit authenticated administrators to inject malicious code on the myQNAPcloud platform. Both flaws have a "medium" NIST score, meaning they should not pose the same outstanding threat to NAS security as CVE-2024-21899.
The company has already released updated firmware to fix the three bugs and marked the security bulletin as "Resolved." The affected products include QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and myQNAPcloud 1.0.x. Owners and admins should immediately run regular update tasks for their NAS systems and applications. The latest firmware versions will provide precious security fixes and improve their network storage experience.
Detailed instructions on discovering and installing recently released firmware, with different update paths described for QTS, QuTS hero, QuTScloud, and the cloud-focused myQNAPcloud platform, are available. Customers and system administrators should browse QNAP's product support status page to see the latest updates for their specific NAS model.
