Security News > 2024 > February > QNAP vulnerability disclosure ends up an utter shambles

Network-attached storage specialist QNAP has disclosed and released fixes for two new vulnerabilities, one of them a zero-day discovered in early November.

Unit 42's assessment, on the other hand, was the polar opposite: "These remote code execution vulnerabilities affecting IoT devices exhibit a combination of low attack complexity and critical impact, making them an irresistible target for threat actors. As a result, protecting IoT devices against such threats is an urgent task."

Details of the disclosure timeline also offered a glimpse at what appears to be a slightly ticked-off Rapid7 after QNAP went silent and published its patches earlier than agreed.

After agreeing to a coordinated disclosure date for the vulnerabilities of February 7 back in December, on January 25 QNAP told Rapid7 it had already pushed out the patches.

Rather than focusing on the technical details of the vulnerabilities, QNAP's main focus with its disclosure appears to be highlighting the different patches available for different firmware versions.

The vulnerabilities disclosed today are the latest in a fairly extensive line of command injection flaws to impact QTS and QuTS firmware.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/02/13/qnap_latest_vulnerabilities/