November 27, 2024 – QNAP has issued a warning to its customers regarding critical vulnerabilities in its Network Attached Storage (NAS) and QuRouter solutions that could enable remote attackers to execute arbitrary commands on affected systems.
QNAP, a provider of network and software solutions, serves a range of clients including major IT service firms like Accenture, Cognizant, and Infosys. The company has recently identified several security flaws that necessitate immediate attention from users to protect their systems.
The vulnerabilities include a combination of missing authentication and OS command injection issues. QNAP stated, “Multiple vulnerabilities have been reported to affect Notes Station 3 and QuRouter,” urging users to update to the latest versions of these applications to mitigate risks.
One significant vulnerability, tracked as CVE-2024-38643, affects the Notes Station 3 application, which is used for note-taking and collaboration on NAS devices. This flaw has been assigned a CVSS v3 severity rating of 9.8 and could allow unauthorized remote access to vulnerable systems. It impacts Notes Station 3 versions 3.9.x and has been addressed in versions 3.9.7 and later. Another related vulnerability, CVE-2024-38645, allows remote actors to read application data and is rated 9.4/10 on the CVSS scale.
Additionally, a command-injection vulnerability, CVE-2024-38644, poses a critical risk by enabling attackers with access to execute arbitrary code on affected systems, rated at 8.8/10. Together, these vulnerabilities could lead to a complete system takeover, highlighting the urgency for users to apply the necessary updates.
In a separate advisory, QNAP also addressed a critical flaw in its QuRouter networking devices, tracked as CVE-2024-48860. This command injection vulnerability allows remote attackers to execute commands on the host system and has a critical CVSS v3 rating of 9.8. It affects QuRouter versions 2.4.x and has been patched in version 2.4.3.106 and later.
QNAP’s advisories emphasize the importance of immediate action to secure systems against these vulnerabilities, which pose significant risks to data integrity and security.
