Updates for QNAP’s network-attached storage (NAS) systems have been released to address a critical security flaw that might allow arbitrary code injection.
Customers of QNAP are being advised to update their QTS and QuTS firmware in order to fix a critical security flaw.
The security flaw is tracked as (CVE-2022-27596) and rated as “Critical” (CVSS v3 score: 9.8). It affects the QTS 5.0.1 and QuTS hero h5.0.1 versions of the operating system.
“Vulnerability has been reported to affect QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. If exploited, this vulnerability allows remote attackers to inject malicious code”, according to the QNAP security advisory.
The NIST National Vulnerability Database (NVD) has identified the flaw as an SQL injection vulnerability despite the fact that the specific technical details around it are unclear.
By using specially crafted requests to change valid SQL queries and perform unexpected actions on vulnerable devices, attackers can take advantage of SQL injection flaws.
“Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack,” according to MITRE.
According to a JSON file that QNAP released outlining the severity of the vulnerability, it can be easily exploited by remote attackers using low-complexity attacks without the involvement of users or privileges to the targeted device.
Notably, CVE-2022-27596 has not been flagged as being actively exploited in the wild by QNAP’s advisory.
Updates for QNAP NAS Critical Vulnerability
According to QNAP, users should update their devices operating on QTS and QuTS hero to the following versions to stay secure:
- QTS 188.8.131.524 build 20221201 and later
- QuTS hero h184.108.40.2068 build 20221215 and later
Users are encouraged to log in as an administrator to QTS or QuTS hero, navigate to Control Panel > System > Firmware Update, and choose “Check for Update” under the “Live Update” section to install the updates.
Users of QNAP can also manually upgrade their devices by downloading the update from QNAP’s Download Center after choosing the appropriate product type and model.
Hence, users are advised to install any available security upgrades as soon as possible owing to the seriousness of the flaw, since threat actors regularly hunt for QNAP vulnerabilities.
Network Security Checklist – Download Free E-Book