Request a Demo
Rewterz
Customized Quasar RAT by Blind Eagle Targeting Colombian Insurance Sector – Active IOCs
September 10, 2024
Rewterz
Cobalt Strike Malware – Active IOCs
September 10, 2024

Multiple QNAP Products Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-51366 CVSS:8.7

QNAP QTS and QuTS hero could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted request to read the contents of unexpected files and expose sensitive data

CVE-2024-39300 CVSS:7.2

Multiple QNAP products could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2024-39298 CVSS:7.8

QNAP QTS and QuTS hero could allow a local authenticated attacker to bypass security restrictions, caused by a missing authorization vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to access data or perform actions.

CVE-2024-34974 CVSS:8.8

Multiple QNAP products could allow a remote attacker to execute arbitrary commands on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2024-32763 CVSS:8.8

QNAP QTS and QuTS hero could allow a local attacker to execute arbitrary code on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2024-21897 CVSS:8.9

QNAP QTS and QuTS hero are vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2024-21898 CVSS:8.8

QNAP QTS and QuTS hero could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

Impact

  • Gain Access
  • Code Execution
  • Security Bypass
  • Cross-Site Scripting

Indicators of Compromise

CVE

  • CVE-2024-51366
  • CVE-2024-39300
  • CVE-2024-39298
  • CVE-2024-34974
  • CVE-2024-32763
  • CVE-2024-21897
  • CVE-2024-21898

Affected Vendors

QNAP

Affected Products

  • QNAP Systems Inc. QTS - 5.1.x
  • QNAP Systems Inc. QuTS hero
  • QNAP Systems Inc. QTS - 4.3.6
  • QNAP Systems Inc. QTS
  • QNAP Systems Inc. QuTScloud
  • QNAP Systems Inc. QuTS hero - h5.1.x
  • QNAP Systems Inc. QTS - 4.5.x
  • QNAP Systems Inc. QuTS hero - h4.5.x
  • QNAP Systems Inc. QVR
  • QNAP Systems Inc. QES

Remediation

Refer to QNAP Security Advisory for patch, upgrade or suggested workaround information.

CVE-2024-51366

CVE-2024-39300

CVE-2024-39298

CVE-2024-34974

CVE-2024-32763

CVE-2024-21897

CVE-2024-21898