CanSSOC Threat Assessment ^[*]: HIGH

1. Summary
2. Details
3. Recommendations
4. References
5. Support

On March 8, QNAP published a security bulletin disclosing three security flaws in its NAS software products, including QTS, QuTS hero, QuTScloud and myQNAPcloud. Exploitation of these vulnerabilities can lead to an authentication bypass, command injection and SQL injection [1].

The CanSSOC team is recommending partner institutions utilizing any of the affected products to apply the recommendations listed below.

• CVE: CVE-2024-21899, CVE-2024-21900, CVE-2024-21901
• CVSS: 9.8, 4.3, 4.7
• Impacted version(s):
  • QTS 5.1.x
  • QTS 4.5.x
  • QuTS hero h5.1.x
  • QuTS hero h4.5.x
  • QuTScloud c5.x
  • myQNAPcloud 1.0.x service
• Fixed version(s):
  • QTS 5.1.3.2578 build 20231110 and later
  • QTS 4.5.4.2627 build 20231225 and later
  • QuTS hero h5.1.3.2578 build 20231110 and later
  • QuTS hero h4.5.4.2626 build 20231225 and later
  • QuTScloud c5.1.5.2651 and later
  • myQNAPcloud 1.0.52 (2023/11/24) and later
• Active exploitation: No reports of active exploitation in the wild.

• To secure your device, we recommend regularly updating your system and applications to the latest version. You can check the QNAP product support status to see the latest updates available to your NAS model [3].

• Multiple vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud and myQNAPcloud link – QNAP
• QNAP warns of critical auth bypass flaw in its NAS devices – BleepingComputer
• Product support status – QNAP

As always, please let us know if you have any questions or concerns or see unusual activity on your systems that you believe might be associated with this or any other vulnerability. Please send these communications to security.response@utoronto.ca.

[*] The CanSSOC Threat Assessment has the following four scores: LOW, MEDIUM, HIGH, SEVERE.