SB2024042903 - Multiple vulnerabilities in QNAP QTS and QuTS hero

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2023-50361)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote user can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Buffer overflow (CVE-ID: CVE-2023-50362)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote user can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Improper Authorization (CVE-ID: CVE-2023-50363)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to incorrect authorization. A remote user can bypass 2-step verification.

4) Buffer overflow (CVE-ID: CVE-2023-50364)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote administrator can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://www.qnap.com/en/security-advisory/qsa-24-20