Threat update
Critical authentication bypass vulnerabilities have been identified in QNAP network attached storage (NAS) devices. These flaws pose significant risks, allowing unauthorized access to affected devices. Review the recommendations in this Cybersecurity Threat Advisory to ensure your systems are secure.
Technical Detail and Additional Info
What is the threat?
The threats involve critical authentication bypass vulnerabilities affecting the following devices: QTS, QuTS hero, QuTScloud, and myQNAPcloud. These flaws could be exploited by malicious actors to gain unauthorized access to the targeted devices. The manufacturer has identified three vulnerabilities, each presenting risks of authentication bypass, command injection, and SQL injection. They are as follows:
- CVE-2024-21899: Flawed authentication mechanisms allow unauthorized users to compromise system security remotely via the network.
- CVE-2024-21900: Authenticated users could exploit this flaw to run commands on the system through the network, potentially gaining unauthorized access or control.
- CVE-2024-21901: Authenticated administrators could take advantage of this flaw to inject malicious SQL code through the network, risking database integrity and content manipulation.
Why is it noteworthy?
These threats are significant due to their potential to compromise the security of QNAP NAS devices widely used by individuals and organizations for storage and data management. These also raise concern for the overall security of data storage solutions.
What is the exposure or risk?
Organizations relying on these devices for file storage, backups, and collaborative work are at risk of data breaches, unauthorized data manipulation, or service interruptions.
What are the recommendations?
LBT Technology Group, LLC. recommends the following actions to limit the impact of these vulnerabilities:
- Ensure prompt installation of the latest QNAP firmware to address and mitigate the identified vulnerabilities:
- QTS 5.1.3.2578 build 20231110 and later
- QTS 4.5.4.2627 build 20231225 and later
- QuTS hero h5.1.3.2578 build 20231110 and later
- QuTS hero h4.5.4.2626 build 20231225 and later
- QuTScloud c5.1.5.2651 and later
- myQNAPcloud 1.0.52 (2023/11/24) and later
- Enforce robust password policies and consider implementing multi-factor authentication to enhance overall system security.
- Isolate NAS devices from direct internet access to reduce exposure and potential attack vectors.
- Keep a vigilant eye on device logs for any unusual activities and investigate and respond promptly to potential security incidents.
- Regularly review and adjust user access permissions to minimize the risk of unauthorized entry.
- Provide security awareness training to users, emphasizing the importance of adhering to secure practices and reporting suspicious activities.
- Implement regular data backups to ensure quick recovery in case of a security incident or data loss.
- Consider implementing additional network security measures, such as firewalls and intrusion detection systems.
References
For more in-depth information about the recommendations, please visit the following links:
- https://lbttechgroup.com/index.php/blog/qnap-warns-of-critical-auth-bypass-flaw-in-its-nas-devices
- https://www.securityweek.com/critical-vulnerability-allows-access-to-qnap-nas-devices/
If you have any questions, please contact LBT's Sales Engineer.