QNAP has urgently issued security updates to patch several critical vulnerabilities affecting its NAS devices and routers. Among these are severe flaws that could lead to unauthorized access and remote code execution. Users are strongly advised to apply these updates immediately to protect their systems.

Notes Station 3 Security Flaws

Two major vulnerabilities have been identified in Notes Station 3, a popular application on QNAP NAS devices:

CVE-2024-38643: Involves missing authentication for critical functions, allowing remote attackers to gain unauthorized access and execute commands. This flaw has a CVSS v4 score of 9.3, rated as "critical."

CVE-2024-38645: A server-side request forgery (SSRF) vulnerability that can be exploited by authenticated users to manipulate server-side operations and access sensitive information. QNAP has resolved these issues in Notes Station 3 version 3.9.7. Users are advised to upgrade their software immediately, following instructions in QNAP's security bulletin.

Further vulnerabilities, identified as CVE-2024-38644 and CVE-2024-38646, are classified as "high severity" and involve command injection and data access that require user-level access to exploit.

QuRouter Vulnerabilities

The QuRouter 2.4.x series is affected by a critical OS command injection vulnerability, CVE-2024-48860, which could be exploited by remote attackers to run commands on the host. Another command injection issue, CVE-2024-48861, has also been addressed. Both are resolved in QuRouter version 2.4.3.106, and immediate updates are advised.

Other vulnerabilities addressed by QNAP include:

CVE-2024-38647: An information exposure flaw in QNAP AI Core, fixed in version 3.4.1.

CVE-2024-48862: A link-following vulnerability in QuLog Center, patched in versions 1.7.0.831 and 1.8.0.888.

CVE-2024-50396 & CVE-2024-50397: Format string handling vulnerabilities in QTS and QuTS Hero, resolved in versions 5.2.1.2930 and h5.2.1.2929 respectively.

QNAP strongly urges users to:

Install the latest patches immediately.

Avoid exposing QNAP devices directly to the Internet.

Use a VPN for added security

Stay updated with the latest versions as soon as they're available. By following these steps, QNAP users can minimize risks and safeguard their data from exploitation.

The link has been copied!