Qnap Patches Security Vulnerabilities in Numerous Products

Qnap Patches Security Vulnerabilities in Numerous Products

A large number of Qnap devices and applications are vulnerable to a variety of bugs. Qnap is releasing updates for all affected applications.

Many Qnap products are vulnerable to exploitation. The NAS specialist itself reports this in a security bulletin, which lists the bugs. Qnap has since released updates to patch the security vulnerabilities in the various products.

read also

Qnap TS-AI642 review: 6 bays, plenty of power and a (sometimes) useful NPU

The severity of the vulnerabilities varies. Some bugs allow unauthorized access, others command injection and memory errors. Hackers could potentially exploit the bugs to gain access to systems or cause damage in other ways.

Overview

Given the multitude of bugs and the diverse products in which they occur, we’ll list everything. We describe the risk as well as the version you need to update to in order to patch the vulnerabilities. Qnap has prepared an update for all bugs.

  • QVPN Device Client, Qsync Client and Qfinder Pro for Mac
    Risk: A race condition may allow local attackers to gain unauthorized access.
    Resolved in: QVPN Device Client 2.2.5, Qsync Client 5.1.3 and Qfinder Pro 7.11.1.
  • QTS and QuTS hero
    Risk: An out-of-bounds write can lead to memory corruption by an attacker with administrator rights.
    Resolved in: QTS 5.1.9.2954 and QuTS hero h5.1.9.2954.
  • QuLog Center, Legacy QTS and Legacy QuTS hero
    Risk: A server-side request forgery (SSRF) can lead to unauthorized access to application data.
    Resolved in: QuLog Center 1.7.0.829 and 1.8.0.888, QTS 4.5.4.2957 and QuTS hero h4.5.4.2956.
  • QTS and QuTS hero (multiple vulnerabilities)
    Risk: CRLF injection, command injection and memory errors can modify application data or provide access to systems.
    Resolved in: QTS 5.2.3.3006 and QuTS hero h5.2.3.3006.
  • File Station 5
    Risk: Unauthorized access to files and folders.
    Resolved in: File Station 5.5.6.4741.
  • QuRouter
    Risk: Command injection can allow attackers to execute arbitrary commands.
    Resolved in: QuRouter 2.4.5.032 and 2.4.6.028.
  • Legacy QTS and QuTS hero
    Risk: Exposure of sensitive information.
    Resolved in: QTS 5.2.0.2851 and QuTS hero h5.2.0.2851.
  • Helpdesk
    Risk: Improper certificate validation can lead to system compromise.
    Resolved in: Helpdesk 3.3.3.
  • HBS 3 Hybrid Backup Sync
    Risk: A buffer overflow can lead to memory corruption or process interruptions.
    Resolved in: HBS 3 Hybrid Backup Sync 25.1.4.952.

As you can see, the bulletin covers quite a few issues. In summary, as a Qnap user, it’s advisable to log into your product and make sure everything is up to date.