Critical QNAP NAS OS Vulnerability

Summary

A vulnerability of critical-severity Chas been identified on several QNAP operating system versions. It is identified as CVE-2023-23368 and has a CVSS score of 9.8. If exploited it can allow users to execute commands via a network according to QNAP.

Impact Assessment

The vulnerability impacts several QNAP operating systems which are typically used with a QNAP NAS setup for cloud storage. It is a high severity vulnerability which allows a remote attacker to execute OS-level commands, which is bad news for any user or organization.

Affected Product          Fixed Version

QTS 5.0.x.                     QTS 5.0.1.2376 build   20230421 and later

QTS 4.5.x.                     QTS 4.5.4.2374 build   20230416 and later

QuTS hero h5.0.x.        QuTS hero h5.0.1.2376   build 20230421 and later

QuTS hero h4.5.x.        QuTS hero h4.5.4.2374   build 20230417 and later

QuTScloud c5.0.x.       QuTScloud c5.0.1.2374   and later

What it means for you

It is recommended that you audit your organization’s software inventory to see if your company is using QNAP operating systems. If you are, follow vendor recommendations and patch to the latest version. Use the following link to check the status of updates on affected QNAP devices.

Remediation

Update the affected QNAP operating system to the fixed version or later shown in the above table.

Updating QTS, QuTS hero, or QuTScloud

1. Log in to QTS, QuTS hero, or QuTScloud as an administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   The system downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Business Implications

Exploitation of this vulnerability can cause financial and data loss. The operating system(s) which are affected by this vulnerability are used with NAS storage devices. If these are compromised there is a great possibility of data exfiltration and loss. If these are business critical devices this could be detrimental to not only daily operations, but also any projects associated with the data stored on or apps accessed through this storage system. The impact depends greatly on proper network segmentation, what these devices are used for, and what the attacker plans to do upon successful exploitation.

Access Point Technology Recommends

Patch: We recommend following vendor recommendations and patch the affected OS versions as soon as possible.

Have data encryption standards: Following a data encryption standard can prevent exfiltrated data from being used as it will be encrypted. This applies to Data at Rest, Data in Use, and Data in Transit as they will each have different standards associated. Following NIST standards is a great starting point for implementing this at your organization.

Associated Bulletins

https://www.qnap.com/en-uk/security-advisory/qsa-23-31

https://nvd.nist.gov/vuln/detail/CVE-2023-23368