CyberWatch

Critical QNAP NAS OS Vulnerability

By

By

Access Point Consulting

Summary

A vulnerability of critical-severity Chas been identified on several QNAP operating system versions. It is identified as CVE-2023-23368 and has a CVSS score of 9.8. If exploited it can allow users to execute commands via a network according to QNAP.

Impact Assessment

The vulnerability impacts several QNAP operating systems which are typically used with a QNAP NAS setup for cloud storage. It is a high severity vulnerability which allows a remote attacker to execute OS-level commands, which is bad news for any user or organization.

Affected Product          Fixed Version

QTS 5.0.x.                     QTS 5.0.1.2376 build   20230421 and later

QTS 4.5.x.                     QTS 4.5.4.2374 build   20230416 and later

QuTS hero h5.0.x.        QuTS hero h5.0.1.2376   build 20230421 and later

QuTS hero h4.5.x.        QuTS hero h4.5.4.2374   build 20230417 and later

QuTScloud c5.0.x.       QuTScloud c5.0.1.2374   and later

What it means for you

It is recommended that you audit your organization’s software inventory to see if your company is using QNAP operating systems. If you are, follow vendor recommendations and patch to the latest version. Use the following link to check the status of updates on affected QNAP devices.

Remediation

Update the affected QNAP operating system to the fixed version or later shown in the above table.

Updating QTS, QuTS hero, or QuTScloud

  1. Log in to QTS, QuTS hero, or QuTScloud as an administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    The system downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Business Implications

Exploitation of this vulnerability can cause financial and data loss. The operating system(s) which are affected by this vulnerability are used with NAS storage devices. If these are compromised there is a great possibility of data exfiltration and loss. If these are business critical devices this could be detrimental to not only daily operations, but also any projects associated with the data stored on or apps accessed through this storage system. The impact depends greatly on proper network segmentation, what these devices are used for, and what the attacker plans to do upon successful exploitation.

Access Point Technology Recommends

Patch: We recommend following vendor recommendations and patch the affected OS versions as soon as possible.

Have data encryption standards: Following a data encryption standard can prevent exfiltrated data from being used as it will be encrypted. This applies to Data at Rest, Data in Use, and Data in Transit as they will each have different standards associated. Following NIST standards is a great starting point for implementing this at your organization.

Associated Bulletins

https://www.qnap.com/en-uk/security-advisory/qsa-23-31

https://nvd.nist.gov/vuln/detail/CVE-2023-23368

Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more