Endpoint Security , Internet of Things Security

QNAP Systems Patches Critical Vulnerability

Taiwanese Hardware Manufacturer Fixes Improper Authentication Flaw
QNAP Systems Patches Critical Vulnerability

QNAP Systems on Saturday released a patch for a critical bug that allows unauthorized access to devices without authentication.

See Also: Securing Enterprise IoT: Advanced Threats and Strategies to Respond

The Taiwanese hardware vendor's advisory said the flaw, tracked as CVE-2024-21899 with a CVSS score of 9.8, is an improper authentication problem that could enable users to compromise system security through network access.

According to QNAP, this issue affects its QTS, QuTS hero, and QuTScloud products and potentially exposes network-attached storage devices to unauthorized access.

QNAP's advisory also highlights two additional vulnerabilities that have been resolved in QTS, QuTS hero, QuTScloud, and myQNAPcloud. Tracked as CVE-2024-21900 and CVE-2024-21901, these medium-severity issues could result in command execution or code injection over a network.

CVE-2024-21900 is an injection vulnerability that, if exploited, enables authenticated users to execute commands via a network. CVE-2024-21901 is an SQL injection vulnerability that could allow authenticated administrators to inject malicious code via a network.

The company recommends that users regularly update systems and applications to the latest version to benefit from vulnerability fixes.

The U.S. Cybersecurity and Infrastructure Security Agency in December 2023 found multiple vulnerabilities in various industrial control systems that enabled hackers to gain full access to the system and disclose sensitive information.

CISA's advisory addressed QNAP's VioStor NVR, a device designed for the surveillance and management of IP cameras in a networked environment.

The OS command injection vulnerability tracked as CVE-2023-47565 in VioStor NVR can enable an attacker to achieve remote code execution by exploiting Network Time Protocol settings.

In QNAP VioStor, NTP refers to the configuration options related to time synchronization with external time servers. The protocol is used to synchronize the clocks of devices on a network, ensuring that they have accurate and consistent time settings. The vulnerability can also result in remote code execution.

"Knowing your vulnerabilities and having a plan to manage them is a critical component to a defensible architecture. OT security strategies often start with hardening the environment - removing extraneous OT network access points, maintaining strong policy control at IT/OT interface points, and mitigating high-risk vulnerabilities," Kate Vajda, director of intelligence research at Dragos, told Information Security Media Group in December.

A defensible architecture is not simply a "hardened" one," but supports the people and processes behind it, said Vajda.

"It must support the collection requirements that were established in the IRP and implemented for improved OT visibility and monitoring. Lastly, many aspects of risk-based vulnerability management are only possible when the defenders can leverage a defensible architecture," Vajda said.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.