QNAP Security Advisory
Bulletin ID: QSA-24-36, QSA-24-37, QSA-24-39, QSA-24-40, QSA-24-43, QSA-24-44, QSA-24-46, QSA-24-47
QVPN beta
Taipei, Taiwan, November 23, 2024 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes the following:
Multiple Vulnerabilities in Notes Station 3 (ID: QSA-24-36)
Multiple Vulnerabilities in OpenSSH (ID: QSA-24-37)
Multiple Vulnerabilities in Photo Station (ID: QSA-24-39)
Vulnerability in QNAP AI Core (ID: QSA-24-40)
Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-24-43)
Multiple Vulnerabilities in QuRouter (ID: QSA-24-44)
Vulnerability in QuLog Center (ID: QSA-24-46)
Vulnerability in Media Streaming Add-on (ID: QSA-24-47)
Multiple Vulnerabilities in Notes Station 3
Security ID: QSA-24-36
Release date: November 23, 2024
CVE identifier: CVE-2024-38643 | CVE-2024-38644 | CVE-2024-38645 | CVE-2024-38646
Severity: Important
Status: Resolved
Affected products: Notes Station 3 version 3.9.x
Summary
Multiple vulnerabilities have been reported to affect Notes Station 3:
CVE-2024-38643: If exploited, the missing authentication for critical function vulnerability could allow remote attackers to gain access to the system.
CVE-2024-38644: If exploited, the command injection vulnerability could allow remote attackers who have gained user access to execute arbitrary commands.
CVE-2024-38645: If exploited, the server-side request forgery (SSRF) vulnerability could allow remote attackers who have gained user access to read application data.
CVE-2024-38646: If exploited, the incorrect permission assignment for critical resource vulnerability could allow local attackers who have gained administrator access to gain unauthorized access to data.
We have already fixed the vulnerabilities in the following version:
Affected Product Fixed Version
Notes Station 3 version 3.9.x Notes Station 3 version 3.9.7 and later
<<Learn more>>
Multiple Vulnerabilities in OpenSSH
Security ID: QSA-24-37
Release date: November 23, 2024
CVE identifier: CVE-2023-38408 | CVE-2021-41617 | CVE-2020-14145
Severity: Moderate
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x
Summary
Multiple vulnerabilities have been reported in OpenSSH. The vulnerabilities have been found to affect certain QNAP operating system versions.
We have already fixed the vulnerabilities in the following versions:
Affected Product Fixed Version
QTS 5.1.x QTS 5.1.8.2823 build 20240712 and later
QuTS hero h5.1.x QuTS hero h5.1.8.2823 build 20240712 and later
<<Learn more>>
Multiple Vulnerabilities in Photo Station
Security ID: QSA-24-39
Release date: November 23, 2024
CVE identifier: CVE-2024-32767 | CVE-2024-32768 | CVE-2024-32769 | CVE-2024-32770
Severity: Moderate
Status: Resolved
Affected products: Photo Station 6.4.x
Summary
Multiple vulnerabilities have been reported to affect Photo Station:
CVE-2024-32767, CVE-2024-32768, CVE-2024-32769, CVE-2024-32770: If exploited, the cross-site scripting (XSS) vulnerabilities could allow remote attackers who have gained user access to bypass security mechanisms or read application data.
We have already fixed the vulnerabilities in the following version:
Affected Product Fixed Version
Photo Station 6.4.x Photo Station 6.4.3 (2024/07/12) and later
<<Learn more>>
Vulnerability in QNAP AI Core
Security ID: QSA-24-40
Release date: November 23, 2024
CVE identifier: CVE-2024-38647
Severity: Important
Status: Resolved
Affected products: QNAP AI Core 3.4.x
Summary
An exposure of sensitive information vulnerability has been reported to affect QNAP AI Core. If exploited, the vulnerability could allow remote attackers to compromise the security of the system.
We have already fixed the vulnerability in the following version:
Affected Product Fixed Version
QNAP AI Core 3.4.x QNAP AI Core 3.4.1 and later
<<Learn more>>
Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-24-43
Release date: November 23, 2024
CVE identifier: CVE-2024-37041 | CVE-2024-37042 | CVE-2024-37043 | CVE-2024-37044 | CVE-2024-37045 | CVE-2024-37046 | CVE-2024-37047 | CVE-2024-37048 | CVE-2024-37049 | CVE-2024-37050 | CVE-2024-50396 | CVE-2024-50397 | CVE-2024-50398 | CVE-2024-50399 | CVE-2024-50400
Severity: Important
Status: Resolved
Affected products: QTS 5.2.x, QuTS hero h5.2.x
Summary
Multiple vulnerabilities have been reported to affect certain QNAP operating system versions:
CVE-2024-37041, CVE-2024-37044, CVE-2024-37047, CVE-2024-37049, CVE-2024-37050: If exploited, the buffer overflow vulnerabilities could allow remote attackers who have gained administrator access to modify memory or crash processes.
CVE-2024-37042, CVE-2024-37045, CVE-2024-37048: If exploited, the NULL pointer dereference vulnerabilities could allow remote attackers who have gained administrator access to launch a denial-of-service (DoS) attack.
CVE-2024-37043, CVE-2024-37046: If exploited, the path traversal vulnerabilities could allow remote attackers who have gained administrator access to read the contents of unexpected files or system data.
CVE-2024-50396, CVE-2024-50397, CVE-2024-50398, CVE-2024-50399, CVE-2024-50400, CVE-2024-50401: If exploited, the use of externally-controlled format string vulnerabilities could allow remote attackers to obtain secret data or modify memory.
We have already fixed the vulnerabilities in the following versions:
Affected Product Fixed Version
QTS 5.2.x QTS 5.2.1.2930 build 20241025 and later
QuTS hero h5.2.x QuTS hero h5.2.1.2929 build 20241025 and later
<<Learn more>>
Multiple Vulnerabilities in QuRouter
Security ID: QSA-24-44
Release date: November 23, 2024
CVE identifier: CVE-2024-48860 | CVE-2024-48861
Severity: Important
Status: Resolved
Affected products: QuRouter 2.4.x
Summary
Multiple vulnerabilities have been reported to affect QuRouter:
CVE-2024-48860, CVE-2024-48861: If exploited, the command injection vulnerabilities could allow remote attackers to execute arbitrary commands.
We have already fixed the vulnerabilities in the following version:
Affected Product Fixed Version
QuRouter 2.4.x QuRouter 2.4.3.106 and later
<<Learn more>>
Vulnerability in QuLog Center
Security ID: QSA-24-46
Release date: November 23, 2024
CVE identifier: CVE-2024-48862
Severity: Important
Status: Resolved
Affected products: QuLog Center 1.7.x and 1.8.x
Summary
A link following vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow remote attackers to traverse the file system to unintended locations.
We have already fixed the vulnerability in the following versions:
Affected Product Fixed Version
QuLog Center 1.7.x QuLog Center 1.7.0.831 (2024/10/15) and later
QuLog Center 1.8.x QuLog Center 1.8.0.888 (2024/10/15) and later
<<Learn more>>
Vulnerability in Media Streaming Add-on
Security ID: QSA-24-47
Release date: November 23, 2024
CVE identifier: CVE-2024-50395
Severity: Moderate
Status: Resolved
Affected products: Media Streaming Add-on 500.1.x
Summary
An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow attackers with local network access to gain unintended privileges.
We have already fixed the vulnerability in the following version:
Affected Product Fixed Version
Media Streaming Add-on 500.1.x Media Streaming Add-on 500.1.1.6 (2024/08/02) and later
<<Learn more>>
If you have any questions regarding this issue, please contact us at
https://www.qnap.com/go/support-ticket/.
