QNAP Security Advisory | Bulletin ID: QSA-20-03

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
Toxic17
Ask me anything
Posts: 6482
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:
Contact Toxic17

QNAP Security Advisory | Bulletin ID: QSA-20-03

Post by Toxic17 »

Taipei, Taiwan, June 24, 2020 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

Improper Access Control in Helpdesk

Release date:[/b] June 24, 2020
Security ID: QSA-20-03
Severity rating: Critical
CVE identifier: CVE-2020-2500
Affected products: Helpdesk

Summary

This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions.

Recommendation

To fix the vulnerability, we strongly recommend updating Helpdesk to the latest version.

Updating Helpdesk
  1. Log on to QTS as administrator.
  2. Open the App Center, and then click Image.
    A search box appears.
  3. Type “Helpdesk”, and then press ENTER.
    The Helpdesk application appears in the search result list.
  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if you are using the latest version.
  5. Click OK.
    The application is updated.
 
Acknowledgements: Yoni Ramon, security researcher
Revision History: V1.0 (June 24, 2020) - Published
 
If you have any questions regarding this issue, please contact us at https://www.qnap.com/go/support-ticket/.
Top
Post Reply

Return to “Users' Corner”