Qnap releases truckload of patches for 'irresistible' bug

Qnap releases a lot of patches for its NAS software. This will close several leaks that are critical according to independent researchers. So I drop everything, and the update is now the message.

Qnap is releasing a bunch of patches for QTS and QuTS Hero. Manufacturer's NAS and storage server operating systems are vulnerable to exploitation.

Not dangerous or irresistible?

One notable zero day: CVE-2023-50358. Qnap describes this bug as not very serious and difficult to exploit. The manufacturer is satisfied with one CVSS score 5.8. This analysis contradicts the findings of Palo Alto security specialist Unit 42, which describes the vulnerability as not complex to exploit with a potentially serious impact. Unit 42 describes it as “an irresistible target for attackers.”

Palo Alto Unit 42 is not alone in this conclusion. also German BSI He has now participated. According to the agency responsible for digital security, the leak could cause serious damage. BSI recommends users install patches immediately. It's not entirely clear why Qnap chose to present the vulnerability in a different way. This bug allows hackers to inject code, which is usually considered critical.

Unit42 notes that there are currently at least 289,665 vulnerable devices online. A technical analysis of the vulnerability and potential misuse is now also available online.

Furthermore, the software appears to be vulnerable to another flaw: CVE-2023-47218. This was discovered by Rapid7 and Qnap also described it as not very dangerous. Qnap and Rapid7 don't seem to work perfectly together Responsible disclosureWith a strange behavior from the NAS specialist who did not adhere to the agreements concluded with the security company.

However, all that drama has nothing to do with the heart of the matter. The crux of the matter is as follows: Qnap's critical software is vulnerable to misuse, and independent authorities believe there is a good chance that attackers will seize this opportunity. Qnap has released patches, so installation is the message.

Lots of stains

For some reason, Qnap opts for a somewhat ambiguous patching policy, with different patches for different versions that fully or partially fix bugs. Upgrading to the latest version seems to be the best idea for us.

Criminals regularly target bugs in Qnap software, and there's no reason to believe the risk is any lower this time around. If Palo Alto and the British Bureau of Standards are right, it won't be long before hackers target the bugs. So updates can be a priority.