By LBT Technology Group, LLC. on Saturday, 16 March 2024
Category: Security

Critical vulnerabilities in QNAP devices

Threat update

Critical authentication bypass vulnerabilities have been identified in QNAP network attached storage (NAS) devices. These flaws pose significant risks, allowing unauthorized access to affected devices. Review the recommendations in this Cybersecurity Threat Advisory to ensure your systems are secure. 

Technical Detail and Additional Info

What is the threat?

The threats involve critical authentication bypass vulnerabilities affecting the following devices: QTS, QuTS hero, QuTScloud, and myQNAPcloud. These flaws could be exploited by malicious actors to gain unauthorized access to the targeted devices. The manufacturer has identified three vulnerabilities, each presenting risks of authentication bypass, command injection, and SQL injection. They are as follows:

  1. CVE-2024-21899: Flawed authentication mechanisms allow unauthorized users to compromise system security remotely via the network.
  2. CVE-2024-21900: Authenticated users could exploit this flaw to run commands on the system through the network, potentially gaining unauthorized access or control.
  3. CVE-2024-21901: Authenticated administrators could take advantage of this flaw to inject malicious SQL code through the network, risking database integrity and content manipulation.

Why is it noteworthy?

These threats are significant due to their potential to compromise the security of QNAP NAS devices widely used by individuals and organizations for storage and data management. These also raise concern for the overall security of data storage solutions. 

What is the exposure or risk?

Organizations relying on these devices for file storage, backups, and collaborative work are at risk of data breaches, unauthorized data manipulation, or service interruptions.

What are the recommendations?

 LBT Technology Group, LLC. recommends the following actions to limit the impact of these vulnerabilities:

References

 For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact LBT's Sales Engineer.

Related Posts

Leave Comments