QNAP addresses critical flaws across NAS, router software

QNAP has released security bulletins over the weekend, which address multiple vulnerabilities, including three critical severity flaws that users should address as soon as possible.

Starting with QNAP Notes Station 3, a note-taking and collaboration application used in the firm's NAS systems, the following two vulnerabilities impact it:

• CVE-2024-38643 – Missing authentication for critical functions could allow remote attackers to gain unauthorized access and execute specific system functions. The lack of proper authentication mechanisms makes it possible for attackers to exploit this flaw without prior credentials, leading to potential system compromise. (CVSS v4 score: 9.3, "critical")
• CVE-2024-38645 – Server-side request forgery (SSRF) vulnerability that could enable remote attackers with authentication credentials to send crafted requests that manipulate server-side behavior, potentially exposing sensitive application data.

QNAP has resolved these issues in Notes Station 3 version 3.9.7 and recommends users update to this version or later to mitigate the risk. Instructions on updating are available in this bulletin.

The other two issues listed in the same bulletin, CVE-2024-38644 and CVE-2024-38646, are high-severity (CVSS v4 score: 8.7, 8.4) command injection and unauthorized data access problems that require user-level access to exploit.

QuRouter flaws

The third critical flaw QNAP addressed on Saturday is CVE-2024-48860, impacting QuRouter 2.4.x products, QNAP's line of high-speed, secure routers.

The flaw, rated 9.5 "critical" according to CVSS v4, is an OS command injection flaw that could allow remote attackers to execute commands on the host system.

QNAP also fixed a second, less severe command injection problem tracked as CVE-2024-48861, with both issues addressed in QuRouter version 2.4.3.106.

Other QNAP fixes

Other products that received important fixes this weekend are QNAP AI Core (AI engine), QuLog Center (log management tool), QTS (standard OS for NAS devices), and QuTS Hero (advanced version of QTS).

Here's a summary of the most important flaws that were fixed in those products, with a CVSS v4 rating between 7.7 and 8.7 (high).

• CVE-2024-38647: Information exposure problem that could allow remote attackers to gain access to sensitive data and compromise system security. The flaw affects QNAP AI Core version 3.4.x and has been resolved in version 3.4.1 and later.
• CVE-2024-48862: Link-following flaw that could allow remote unauthorized attackers to traverse the file system and access or modify files. It impacts QuLog Center versions 1.7.x and 1.8.x, and was fixed in versions 1.7.0.831 and 1.8.0.888.
• CVE-2024-50396 and CVE-2024-50397: Improper handling of externally controlled format strings, which could allow attackers to access sensitive data or modify memory. CVE-2024-50396 can be exploited remotely to manipulate system memory, while CVE-2024-50397 requires user-level access. Both vulnerabilities have been resolved in QTS 5.2.1.2930 and QuTS hero h5.2.1.2929.

QNAP customers are strongly advised to install the updates as soon as possible to remain protected against potential attacks.

As always, QNAP devices should never be connected directly to the Internet and should instead be deployed behind a VPN to prevent remote exploitation of flaws.