QNAP has issued an urgent call to action for users of its products, releasing security updates to address a range of vulnerabilities, including three rated as critical. Users are strongly advised to apply these patches immediately to mitigate potential risks.
One of the key areas of concern lies within the Notes Station 3 application, widely used in QNAP NAS (Network Attached Storage) systems. Among the critical vulnerabilities is CVE-2024-38643, which carries a severity score of 9.3 on the CVSS scale. This flaw enables unauthorized attackers to execute system functions without prior authentication, posing a severe security threat.
An even more alarming issue, CVE-2024-38645, scored at 9.4 on CVSS, involves server-side request forgery (SSRF). This vulnerability could allow malicious actors to exploit the system for data leaks. These vulnerabilities have been addressed in the latest version, 3.9.7, of Notes Station 3.
Additionally, other serious vulnerabilities patched in this application include CVE-2024-38644 (command injection, CVSS 8.7) and CVE-2024-38646 (data access vulnerability, CVSS 8.4). While exploitation of these flaws requires valid user credentials, they still represent significant risks for multi-user environments.
The spotlight also shines on QNAP’s QuRouter systems. The firmware version 2.4.x was found vulnerable to CVE-2024-48860, a command execution flaw rated 9.5 on CVSS. Exploitable by remote attackers, this vulnerability could allow the execution of arbitrary commands. The issue has been resolved in version 2.4.3.106, which also addresses a less severe flaw, CVE-2024-48861 (CVSS 7.3).
Other QNAP products have also received critical updates, including:
- QNAP AI Core: A data disclosure vulnerability, CVE-2024-38647 (CVSS 7.9), has been patched in version 3.4.1.
- QuLog Center: A file system bypass flaw, CVE-2024-48862 (CVSS 8.7), has been addressed in versions 1.7.0.831 and 1.8.0.888.
- QTS and QuTS Hero Operating Systems: Format string handling vulnerabilities, CVE-2024-50396 and CVE-2024-50397, both rated 7.7 on CVSS, are resolved in QTS 5.2.1.2930 and QuTS Hero h5.2.1.2929.
QNAP strongly advises users to avoid directly connecting sensitive devices to the internet. Instead, it recommends leveraging VPNs to mitigate remote attack risks.
The company emphasized the urgency of these updates: “Installing these security patches is essential to protect your systems from potential exploitation by malicious actors.”
With these vulnerabilities actively addressed, users are encouraged to remain vigilant and ensure their devices are running the latest firmware to maintain robust security.
