Pierluigi Paganini November 06, 2023
Taiwanese vendor QNAP Systems addressed two critical command injection vulnerabilities, tracked as CVE-2023-23368 and CVE-2023-23369, that impact the QTS operating system and applications on its network-attached storage (NAS) devices.
The vulnerability CVE-2023-23368 (CVSS score 9.8) is an OS command injection issue that could be exploited by a remote attacker to execute commands via a network. The vulnerability was reported by CataLpa of Hatlab, Dbappsecurity Co. Ltd.
“An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to execute commands via a network.” reads the advisory.
Below are the impacted product versions and the available fixed versions:
Affected Product | Fixed Version |
QTS 5.0.x | QTS 5.0.1.2376 build 20230421 and later |
QTS 4.5.x | QTS 4.5.4.2374 build 20230416 and later |
QuTS hero h5.0.x | QuTS hero h5.0.1.2376 build 20230421 and later |
QuTS hero h4.5.x | QuTS hero h4.5.4.2374 build 20230417 and later |
QuTScloud c5.0.x | QuTScloud c5.0.1.2374 and later |
The vulnerability CVE-2023-23369 (CVSS score 9.0) could be exploited by a remote attacker to execute commands via a network.
“An OS command injection vulnerability has been reported to affect several QNAP operating system and application versions. If exploited, the vulnerability could allow remote attackers to execute commands via a network.” reads the advisory.
The flaw was reported by Eqqie, below are the impacted product versions and the available fixed versions:
Affected Product | Fixed Version |
QTS 5.1.x | QTS 5.1.0.2399 build 20230515 and later |
QTS 4.3.6 | QTS 4.3.6.2441 build 20230621 and later |
QTS 4.3.4 | QTS 4.3.4.2451 build 20230621 and later |
QTS 4.3.3 | QTS 4.3.3.2420 build 20230621 and later |
QTS 4.2.x | QTS 4.2.6 build 20230621 and later |
Multimedia Console 2.1.x | Multimedia Console 2.1.2 (2023/05/04) and later |
Multimedia Console 1.4.x | Multimedia Console 1.4.8 (2023/05/05) and later |
Media Streaming add-on 500.1.x | Media Streaming add-on 500.1.1.2 (2023/06/12) and later |
Media Streaming add-on 500.0.x | Media Streaming add-on 500.0.0.11 (2023/06/16) and later |
Network administrators are urged to address both vulnerabilities to prevent threat actors from exploiting them to take over devices running the vulnerable software.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NAS)