[SECURITY ADVISORY] Vulnerabilities in QTS - NAS-201811-22

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
Toxic17
Ask me anything
Posts: 5231
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

[SECURITY ADVISORY] Vulnerabilities in QTS - NAS-201811-22

Post by Toxic17 » Tue Nov 27, 2018 7:40 am

Security ID: NAS-201811-22
Severity: Critical
CVE identifier: CVE-2018-14746 | CVE-2018-14747 | CVE-2018-14748 | CVE-2018-14749
Affected products: QTS 4.3.5: build 20181013 and earlier versions
QTS 4.3.4: build 20181008 and earlier versions
QTS 4.3.3: build 20180829 and earlier versions
QTS 4.2.6: build 20180829 and earlier versions

Summary
Four vulnerabilities affecting different versions of QTS have recently been reported. Below are details for each CVE.

CVE-2018-14746: If exploited, this vulnerability could allow remote attackers to run arbitrary commands on the NAS.
CVE-2018-14747: If exploited, this vulnerability could allow remote attackers to crash the NAS media server.
CVE-2018-14748: If exploited, this vulnerability could allow remote attackers to power off the NAS.
CVE-2018-14749: If exploited, this buffer overflow vulnerability could have unspecified impact on the NAS.

We have fixed these issues in following QTS versions:

QTS 4.3.5: build 20181110 and later
QTS 4.3.4: build 20181026 and later
QTS 4.3.3: build 20181029 and later
QTS 4.2.6: build 20181026 and later

Recommendation
To resolve the issue, you must update your QTS to the latest version.

Installing the QTS Update
Log on to QTS as administrator.
Go to Control Panel > System > Firmware Update.
Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.

Acknowledgements: Ori Hollander of VDOO

Revision History: V1.0 (November 22, 2018) - Published

Source: https://www.qnap.com/en-uk/security-adv ... -201811-22
Regards Simon

QTS 4.x User Guidex

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.4.1.1086 • TVS-463-16GB 4.4.1.1086 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.1051 • APC Back-UPS ES 700G •
QPKG's: TwonkyServer 8.51 • Apache73 v2441.7310 • QSonarr 3.0.3.645 • QNBZGet 21.0 • phpMyAdmin 4.9.0.1 • Qmono 5.20.1.19 • McAfee 3.0.1 • Lychee 3.2.16 • HBS 3.0.191016 • LEgo v3.1.0
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey Gen2+• UniFi G3-Flex • UAP AC Pro • UAP AC Lite • SLM2008 • Dell 7050 MFF •

Post Reply

Return to “Users' Corner”