May 8, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Sodinokibi Ransomware – IoCs
December 8, 2020Rewterz Threat Alert – Spear Phishing Campaign Targeting Finance and Banking Industry
December 8, 2020Rewterz Threat Alert – Sodinokibi Ransomware – IoCs
December 8, 2020Rewterz Threat Alert – Spear Phishing Campaign Targeting Finance and Banking Industry
December 8, 2020
Severity
High
Analysis Summary
Network-attached storage (NAS) maker QNAP released security updates to address vulnerabilities that could enable attackers to take control of unpatched NAS devices following successful exploitation. Eight vulnerabilities have been patched today by QNAP that affect all QNAP NAS devices running vulnerable software.
Four vulnerabilities have been reported to affect earlier versions of QTS and QuTS hero.
CVE-2020-2495 & CVE-2020-2496: If exploited, these cross-site scripting vulnerabilities could allow remote attackers to inject malicious code in File Station.
CVE-2020-2497: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in System Connection Logs.
CVE-2020-2498: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in certificate configuration.
CVE-2020-2494: This cross-site scripting vulnerability in Music Station allows remote attackers to inject malicious code.
CVE-2020-2493: Found in QNAP NAS running Multimedia Console, this cross-site scripting vulnerability in Multimedia Console allows remote attackers to inject malicious code.
CVE-2020-2491: This cross-site scripting vulnerability in Photo Station allows remote attackers to inject malicious code.
CVE-2019-7198: Found in all QNAP NAS devices, this command injection vulnerability allows attackers to execute arbitrary commands in a compromised application.
Impact
- Cross-site Scripting
- Code Execution
- Command Injection
- Device Takeover
Remediation
These vulnerabilities have been fixed in the following versions: Update to latest patched versions.
QTS and QuTS hero. (Multiple Vulnerabilities)
- QuTS hero h4.5.1.1472 build 20201031 and later
- QTS 4.5.1.1456 build 20201015 and later
- QTS 4.4.3.1354 build 20200702 and later
- QTS 4.3.6.1333 build 20200608 and later
- QTS 4.3.4.1368 build 20200703 and later
- QTS 4.3.3.1315 build 20200611 and later
- QTS 4.2.6 build 20200611 and later
https://www.qnap.com/en/security-advisory/qsa-20-12
Music Station:
- QuTS hero h4.5.1: Music Station 5.3.13 and later
- QTS 4.5.1: Music Station 5.3.12 and later
- QTS 4.4.3: Music Station 5.3.12 and later
https://www.qnap.com/en/security-advisory/qsa-20-13
Multimedia Console:
- Update to 1.1.5 and later.
https://www.qnap.com/en/security-advisory/qsa-20-14
Photo Station:
- QTS 4.5.1: Photo Station 6.0.12 and later
- QTS 4.4.3: Photo Station 6.0.12 and later
- QTS 4.3.6: Photo Station 5.7.12 and later
- QTS 4.3.4: Photo Station 5.7.13 and later
- QTS 4.3.3: Photo Station 5.4.10 and later
- QTS 4.2.6: Photo Station 5.2.11 and later
https://www.qnap.com/en/security-advisory/qsa-20-15
QTS and QuTS hero: (command injection)
- QuTS hero h4.5.1.1472 build 20201031 and later
- QTS 4.5.1.1456 build 20201015 and later
- QTS 4.4.3.1354 build 20200702 and later
