Cheraw Chronicle

Complete News World

Qnap releases truckload of patches for 'irresistible' bug

Qnap releases truckload of patches for 'irresistible' bug

Qnap releases a lot of patches for its NAS software. This will close several leaks that are critical according to independent researchers. So I drop everything, and the update is now the message.

Qnap is releasing a bunch of patches for QTS and QuTS Hero. Manufacturer's NAS and storage server operating systems are vulnerable to exploitation.

Not dangerous or irresistible?

One notable zero day: CVE-2023-50358. Qnap describes this bug as not very serious and difficult to exploit. The manufacturer is satisfied with one CVSS score 5.8. This analysis contradicts the findings of Palo Alto security specialist Unit 42, which describes the vulnerability as not complex to exploit with a potentially serious impact. Unit 42 describes it as “an irresistible target for attackers.”

Palo Alto Unit 42 is not alone in this conclusion. also German BSI He has now participated. According to the agency responsible for digital security, the leak could cause serious damage. BSI recommends users install patches immediately. It's not entirely clear why Qnap chose to present the vulnerability in a different way. This bug allows hackers to inject code, which is usually considered critical.

Unit42 notes that there are currently at least 289,665 vulnerable devices online. A technical analysis of the vulnerability and potential misuse is now also available online.

Furthermore, the software appears to be vulnerable to another flaw: CVE-2023-47218. This was discovered by Rapid7 and Qnap also described it as not very dangerous. Qnap and Rapid7 don't seem to work perfectly together Responsible disclosureWith a strange behavior from the NAS specialist who did not adhere to the agreements concluded with the security company.

See also  The first foldable iPhone: will it come after all?

However, all that drama has nothing to do with the heart of the matter. The crux of the matter is as follows: Qnap's critical software is vulnerable to misuse, and independent authorities believe there is a good chance that attackers will seize this opportunity. Qnap has released patches, so installation is the message.

Lots of stains

For some reason, Qnap opts for a somewhat ambiguous patching policy, with different patches for different versions that fully or partially fix bugs. Upgrading to the latest version seems to be the best idea for us.

Software version Ernest Partially corrected version Fully corrected version
QTS 5.1.x Mediation QTS 5.1.0.2444 version 20230629 and later QTS 5.1.5.2645 version 20240116 and later
QTS 5.0.1 Mediation QTS 5.0.1.2145 version 20220903 and later QTS 5.1.5.2645 version 20240116 and later
QTS 5.0.0 high QTS 5.0.0.1986 version 20220324 and later QTS 5.1.5.2645 version 20240116 and later
QTS 4.5.x, 4.4.x high QTS 4.5.4.2012 version 20220419 and later QTS 4.5.4.2627 version 20231225 and later
QTS 4.3.6, 4.3.5 high QTS 4.3.6.2665 version 20240131 and later QTS 4.3.6.2665 version 20240131 and later
QTS 4.3.4 high QTS 4.3.4.2675 version 20240131 and later QTS 4.3.4.2675 version 20240131 and later
QTS 4.3.x high QTS 4.3.3.2644 version 20240131 and later QTS 4.3.3.2644 version 20240131 and later
QTS 4.2.x high QTS 4.2.6 version 20240131 and later QTS 4.2.6 version 20240131 and later
QTS Hero h5.1.x Mediation QuTS Hero h5.1.0.2466 version 20230721 and later QuTS Hero h5.1.5.2647 version 20240118 and later
QTS Hero h5.0.1 Mediation QuTS Hero h5.0.1.2192 version 20221020 and later QuTS Hero h5.1.5.2647 version 20240118 and later
QTS Hero h5.0.0 high QuTS Hero h5.0.0.1986 version 20220324 and later QuTS Hero h5.1.5.2647 version 20240118 and later
QTS Hero h4.x high QuTS Hero h4.5.4.1991 version 20220330 and later QuTS Champion h4.5.4.2626 version 20231225 and later
CutsCloud c5.x high QuTScloud c5.1.5.2651 and later QuTScloud c5.1.5.2651 and later

Criminals regularly target bugs in Qnap software, and there's no reason to believe the risk is any lower this time around. If Palo Alto and the British Bureau of Standards are right, it won't be long before hackers target the bugs. So updates can be a priority.

See also  Virtual private nightmare? These are the biggest drawbacks of a VPN