Multiple NAS devices, including QTS, QuTS hero, QuTScloud, and myQNAPcloud, are vulnerable to three critical severity flaws. Tracked as CVE-2024-21899, CVE-2024-21900, & CVE-2024-21901, the vulnerabilities could allow authenticated administrators to inject malicious code via a network that compromises the system’s security.
Network-attached storage (NAS) is a file-level storage server connected to a computer network. It allows multiple users to store and share files over a TCP/IP network. NAS systems are flexible and can scale out, meaning that users can add them to their storage as needed. NAS uses hard disk drives (HDDs) for storage capacity.
CVE-2024-21899
This improper authentication vulnerability may allow users to compromise the system’s security via a network.
CVE-2024-21900
This injection vulnerability could allow authenticated users to execute commands via a network.
CVE-2024-21901
The SQL injection vulnerability could allow authenticated administrators to inject malicious code via a network.
Affected and Patched Versions
| Affected Product | Fixed Version |
| QTS 5.1.x | QTS 5.1.3.2578 build 20231110 and later |
| QTS 4.5.x | QTS 4.5.4.2627 build 20231225 and later |
| QuTS hero h5.1.x | QuTS hero h5.1.3.2578 build 20231110 and later |
| QuTS hero h4.5.x | QuTS hero h4.5.4.2626 build 20231225 and later |
| QuTScloud c5.x | QuTScloud c5.1.5.2651 and later |
| myQNAPcloud 1.0.x | myQNAPcloud 1.0.52 (2023/11/24) and later |
Please refer to the QNAP Security Advisory (QSA-24-09) for more information.
Qualys Detection
Qualys customers can scan their devices with QID 731239 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.qnap.com/en/security-advisory/qsa-24-09
