Request a Demo
Rewterz
CVE-2024-4439 – WordPress WP Core Plugin Vulnerability
May 6, 2024
Rewterz
XWorm Malware – Active IOCs
May 7, 2024

Multiple QNAP Products Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-32764 CVSS:9.9

QNAP myQNAPcloud Link could allow a remote attacker to bypass security restrictions, caused by missing authentication for critical function vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to gain access to and execute certain functions.

CVE-2024-32766 CVSS:10

Multiple QNAP products could allow a remote attacker to execute arbitrary commands on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2023-50358 CVSS:7.2

QNAP QTS and QuTS Hero could allow a remote authenticated attacker to execute arbitrary commands on the system caused by a OS command injection vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-50359 CVSS:5.5

QNAP QTS and QuTS Hero is vulnerable to a denial of service. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service or other unspecified impact

CVE-2023-50361 CVSS:8.8

QNAP QTS and QuTS Hero is vulnerable a buffer overflow, caused by improper bounds checking. By persuading a victim to open a specially crafted file, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.

CVE-2023-50362 CVSS:8.8

QNAP QTS and QuTS Hero is vulnerable a buffer overflow, caused by improper bounds checking. By persuading a victim to open a specially crafted file, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.

CVE-2023-50363 CVSS:7.5

QNAP QTS and QuTS Hero could allow a remote attacker to bypass security restrictions, caused by incorrect authorization. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions to bypass 2-step verification.

CVE-2023-50364 CVSS:7.2

QNAP QTS and QuTS Hero could allow a remote authenticated attacker to execute arbitrary code on the system, caused by not checking the size of input in buffer copy. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Impact

  • Denial of Service
  • Gain Access
  • Security Bypass
  • Buffer Overflow
  • Code Execution

Indicators of Compromise

CVE

  • CVE-2024-32764
  • CVE-2024-32766
  • CVE-2023-50358
  • CVE-2023-50359
  • CVE-2023-50361
  • CVE-2023-50362
  • CVE-2023-50363
  • CVE-2023-50364

Affected Vendors

QNAP

Affected Products

  • QNAP QTS 4.3.4
  • QNAP QTS 4.3.5
  • QNAP QTS
  • QNAP QuTS hero
  • QNAP QTS 4.5.x Proxy Server 1.4.2
  • QNAP QTS 4.3.6
  • QNAP QTS 5.0.0
  • QNAP QTS 5.0.1
  • QNAP QuTS hero h5.0.1
  • QNAP QuTS hero h5.1.0
  • QNAP QTS 5.1.0
  • QNAP QuTS Hero h5.0.0
  • QNAP QuTS hero h4.5
  • QNAP myQNAPcloud Link 2.4.50
  • QNAP QuTScloud
  • QNAP QuTScloud 5.1.4

Remediation

Refer to QNAP Security Advisory for patch, upgrade or suggested workaround information.

CVE-2024-32764

CVE-2024-32766

CVE-2023-50358

CVE-2023-50359

CVE-2023-50361

CVE-2023-50362

CVE-2023-50363

CVE-2023-50364