Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 3 |
CVE-ID | CVE-2023-38408 CVE-2021-41617 CVE-2020-14145 |
CWE-ID | CWE-426 CWE-269 CWE-327 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software |
QuTS hero Hardware solutions / Firmware QNAP QTS Server applications / File servers (FTP/HTTP) |
Vendor | QNAP Systems, Inc. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU78454
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2023-38408
CWE-ID:
CWE-426 - Untrusted Search Path
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to usage of an insecure search path within the PKCS#11 feature in ssh-agent. A remote attacker can trick the victim into connecting to a malicious SSH server and execute arbitrary code on the system, if an agent is forwarded to an attacker-controlled system.
Note, this vulnerability exists due to incomplete fix for #VU2015 (CVE-2016-10009).
Install update from vendor's website.
Vulnerable software versionsQuTS hero: before h5.1.8.2823 build 20240712
QNAP QTS: before 5.1.8.2823 20240712
CPE2.3 External linkshttp://www.qnap.com/en/security-advisory/qsa-24-37
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU58333
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-41617
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management in sshd, when certain non-default configurations are used, because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and
AuthorizedPrincipalsCommand may run with privileges associated with
group memberships of the sshd process, if the configuration specifies
running the command as a different user. A local user can escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsQuTS hero: before h5.1.8.2823 build 20240712
QNAP QTS: before 5.1.8.2823 20240712
CPE2.3 External linkshttp://www.qnap.com/en/security-advisory/qsa-24-37
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU32937
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-14145
CWE-ID:
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists in openssh client during algorithm negotiation due to observable discrepancy. A remote attacker can perform a Man-in-the-Middle (MitM) attack.
Install update from vendor's website.
Vulnerable software versionsQuTS hero: before h5.1.8.2823 build 20240712
QNAP QTS: before 5.1.8.2823 20240712
CPE2.3 External linkshttp://www.qnap.com/en/security-advisory/qsa-24-37
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.