Taiwan-based Network Attached Storage (NAS) device manufacturer QNAP Systems released security updates to address a number of vulnerabilities impacting its products, including a flaw that could potentially lead to unauthorized access to devices.
One of the vulnerabilities, CVE-2024-21899, is an improper authentication issue, presenting a pathway for users to compromise system security via network access. This flaw affects QNAP's QTS, QuTS hero, and QuTScloud products.
The flaw has been fixed with the release of improved versions, including QTS 5.1.3.2578 build 20231110, QTS 4.5.4.2627 build 20231225, QuTS hero h5.1.3.2578 build 20231110, QuTS hero h4.5.4.2626 build 20231225, and QuTScloud c5.1.5.2651.
In addition to CVE-2024-21899, the NAS maker addressed two vulnerabilities, tracked as CVE-2024-21900 and CVE-2024-21901, categorized as medium-severity issues. While these vulnerabilities can allow command execution or code injection over a network, their exploitation requires authorization and, in the case of CVE-2024-21901, administrator credentials.
The company has patched the flaws in QTS versions 4.5.4.2627 build 20231225 and 5.1.3.2578 build 20231110, QuTS hero version h5.1.3.2578 build 20231110, QuTScloud version c5.1.5.2651, and myQNAPcloud version 1.0.52 (2023/11/24).
Also, QNAP has announced patches for several other medium-severity vulnerabilities across its product range, including QuMagie Mobile, QTS, QuTS hero, QuTScloud, and Photo Station. The vulnerabilities could potentially result in code injection, command execution, and data leaks.
The vendor has not reported any instances of these vulnerabilities being exploited in attacks.