12-25-2020 , 12:45 AM
QNAP has released a series of new patches which fix multiple high severity vulnerabilities that impact its NAS devices running the QES, QTS and QuTS hero operating systems.
In total, this latest round of security updates patch six vulnerabilities that affect older versions of the NAS maker's FreeBSD, Linux and 128-bit ZFS based operating systems.
TIM Security Red Team Research, Lodestone Security and the CFF of Topsec Alpha Team discovered and reported these security bugs to QNAP which if left unpatched, could be used to carry out command injection or cross-site scripting (XSS) on the company's NAS devices.
While the XSS vulnerabilities could allow a remote attacker to inject malicious code into vulnerable versions of QNAP's apps, the command injection bugs could be used to elevate privileges, execute arbitrary commands or even take over a device's underlying operating system.
Source
In total, this latest round of security updates patch six vulnerabilities that affect older versions of the NAS maker's FreeBSD, Linux and 128-bit ZFS based operating systems.
TIM Security Red Team Research, Lodestone Security and the CFF of Topsec Alpha Team discovered and reported these security bugs to QNAP which if left unpatched, could be used to carry out command injection or cross-site scripting (XSS) on the company's NAS devices.
While the XSS vulnerabilities could allow a remote attacker to inject malicious code into vulnerable versions of QNAP's apps, the command injection bugs could be used to elevate privileges, execute arbitrary commands or even take over a device's underlying operating system.
Source