QNAP Alerts Users about Critical Authentication Bypass Vulnerability in NAS Devices

March 8, 2024

QNAP, a maker of Network Attached Storage (NAS) devices, has issued a warning about vulnerabilities in its NAS software products, including QTS, QuTS hero, QuTScloud, and myQNAPcloud. These vulnerabilities could potentially enable attackers to gain unauthorized access to devices. The company has disclosed three specific vulnerabilities that could lead to an authentication bypass, command injection, and SQL injection.

The first flaw, identified as CVE-2024-21899, is particularly concerning as it can be executed remotely without authentication and is marked as 'low complexity'. The other two vulnerabilities require the attacker to be authenticated on the target system, which significantly reduces the risk.

These vulnerabilities impact various versions of QNAP's operating systems, including QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and the myQNAPcloud 1.0.x service. QNAP recommends that users upgrade their systems to the latest versions which address these flaws.

To update QTS, QuTS hero, and QuTScloud, users need to log in as administrators, navigate to 'Control Panel > System > Firmware Update,' and click 'Check for Update' to initiate the automatic installation process. For updating myQNAPcloud, users should log in as admin, open the 'App Center,' type 'myQNAPcloud' in the search box, and press ENTER. The update should appear in the search results and users can click on the 'Update' button to begin the process.

NAS devices are often targeted by threat actors as they typically store large volumes of valuable data, including sensitive personal information, intellectual property, and critical business data. However, they are often not closely monitored, remain connected to the internet, and may be using outdated operating systems or firmware. Previous ransomware operations known for targeting QNAP devices include DeadBolt, Checkmate, and Qlocker. These groups have launched multiple attack waves against NAS users, sometimes exploiting zero-day vulnerabilities to breach fully patched devices.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.