QNAP has released a series of new fixes that address various high-severity vulnerabilities affecting its NAS devices running QES, QTS, and QuTS hero operating systems. In total, this latest round of security updates fixes six vulnerabilities that affect older versions of the NAS manufacturer's 128-bit FreeBSD, Linux, and ZFS operating systems. TIM Security Red Team Research, Lodestone Security and Topsec Alpha Team CFF have discovered and reported these security bugs to QNAP which, if not fixed, could be used to perform command injection or cross-site scripting (XSS) on NAS devices of the company While XSS vulnerabilities could allow a remote attacker to inject malicious code into vulnerable versions of QNAP applications, command injection bugs could be used to elevate privileges, execute arbitrary commands, or even take control. the underlying operating system of a device.
NAS vulnerabilities
Although QNAP has released fixes for six different vulnerabilities in its software, all of these issues have already been addressed in QES 2.1.1 Build 20201006 and later, QTS 4.5.1.1495 build 20201123 and later, and QuTS hero h4.5.1.1491 build 20201119 and later. This means that updating the software on your NAS device is the easiest and fastest way to fix all six vulnerabilities. To do this, you will need to login to QES, QTS or QuTS hero as an administrator and go to Control Panel > System > Firmware update. In the Live Update section, you will need to click Check for update for QES, QTS or QuTS Hero to download and install the latest available update. In addition, the update can also be manually downloaded and installed by visiting the Support Download Center on the QNAP website. Because NAS devices are often used to back up sensitive files and data, keeping them up to date is paramount to prevent hackers from taking advantage of known vulnerabilities. Via BleepingComputer