QNAP Systems has promptly resolved two critical vulnerabilities, CVE-2023-23368 and CVE-2023-23369, which involved command injection. They were discovered within the QTS operating system and associated applications used on their network-attached storage (NAS) devices. These vulnerabilities could have allowed remote attackers to execute arbitrary commands on affected devices, potentially taking control of them and accessing sensitive data.
The malicious server, which served as the command-and-control center for a botnet of infected devices, was responsible for launching a barrage of brute-force attacks against vulnerable NAS devices. These attacks aimed to gain unauthorized access to the devices by repeatedly attempting to guess weak or default passwords. QNAP’s Product Security Incident Response Team swiftly took action upon detecting the attacks. They effectively blocked hundreds of zombie network IPs, protecting numerous internet-exposed QNAP NAS devices from further assault. Furthermore, they successfully identified the source command-and-control server and, in collaboration with the cloud service provider, took measures to shut it down, preventing the situation from escalating further.
CVE-2023-23368, with a CVSS score of 9.8, represents a critical OS command injection flaw that a remote attacker can exploit to execute commands over a network. According to the advisory, multiple versions of QNAP operating systems are affected by this flaw. If successfully exploited, remote attackers could execute commands through a network.
CVE-2023-23369, rated with a CVSS score of 9.0, shares similarities with the potential for remote attackers to execute commands over a network. This vulnerability, described as an OS command injection issue, affects various QNAP operating systems and applications. It enables remote attackers to execute commands through a network.
QNAP has released security patches to address these vulnerabilities, and it is urging all users to apply the patches as soon as possible.
QNAP
Affected Products
The following QNAP operating system versions are affected by CVE-2023-23368:
- QTS 5.0.x
- QTS 4.5.x
- QuTS hero h5.0.x
- QuTS hero h4.5.x
- QuTScloud c5.0.x
The following QNAP operating system versions are affected by CVE-2023-23369:
- QTS 5.1.x
- QTS 4.3.6
- QTS 4.3.4
- QTS 4.3.3
- QTS 4.2.x
- Multimedia Console 2.1.x
- Multimedia Console 1.4.x
- Media Streaming add-on 500.1.x
- Media Streaming add-on 500.0.x
Solution
The following fixed versions are available to address CVE-2023-23368:
- QTS 5.0.1.2376 build 20230421 and later
- QTS 4.5.4.2374 build 20230416 and later
- QuTS hero h5.0.1.2376 build 20230421 and later
- QuTS hero h4.5.4.2374 build 20230417 and later
- QuTScloud c5.0.1.2374 and later
The following fixed versions are available to address CVE-2023-23369:
- QTS 5.1.0.2399 build 20230515 and later
- QTS 4.3.6.2441 build 20230621 and later
- QTS 4.3.4.2451 build 20230621 and later
- QTS 4.3.3.2420 build 20230621 and later
- QTS 4.2.6 build 20230621 and later
- Multimedia Console 2.1.2 (2023/05/04) and later
- Multimedia Console 1.4.8 (2023/05/05) and later
- Media Streaming add-on 500.1.1.2 (2023/06/12) and later
- Media Streaming add-on 500.0.0.11 (2023/06/16) and later
SanerNow Vulnerability Management and SanerNow Patch Management detect and automatically fix these vulnerabilities by applying security updates. Use SanerNow and keep your systems updated and secure!