Security News > 2024 > February > QNAP fixes OS command injection flaws affecting its NAS devices (CVE-2023-47218, CVE-2023-50358)
QNAP Systems has patched two unauthenticated OS command injection vulnerabilities in various versions of the operating systems embedded in the firmware of their popular network-attached storage devices.
"Prior to the publication of CVE-2023-47565, Unit 42 researchers initially suspected the ATP-observed vulnerability to affect QNAP NAS systems running QTS firmware. However, on November 17, 2023, Unit 42 conducted reverse engineering and additional investigation of QTS firmware images and discovered the vulnerability now known as CVE-2023-50358. The two vulnerabilities are somewhat similar, but affect different software components in different classes of devices."
QNAP NAS devices are often targeted by attackers, and especially by ransomware-wielding attackers.
Cgi component is present in uninitialized QNAP NAS devices and, once a device has been successfully initialized, it is disabled on the system.
This detail may explain the medium severity score determined by QNAP. The two vulnerabilities affect various versions of QTS, QuTS hero and QuTScloud, which are core parts of the firmware for entry- and mid-level QNAP NAS devices, high-end and enterprise NAS devices, and cloud-based NAS devices.
Admins are advised to upgrade QNAP NAS devices to a fixed firmware version.
News URL
https://www.helpnetsecurity.com/2024/02/14/cve-2023-47218-cve-2023-50358/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-13 | CVE-2023-50358 | An OS command injection vulnerability has been reported to affect several QNAP operating system versions. | 0.0 |
| 2023-12-08 | CVE-2023-47565 | OS Command Injection vulnerability in Qnap QVR Firmware An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. | 8.8 |