Sonntag, 7. Juni 2020

[newsletter] QNAP Security Advisory | Bulletin ID: QSA-20-01

Hallo,

 

bei Fragen zum Updates Ihres QNAP NAS melden Sie sich bitte bei mir.

 

If this page does not render correctly, click here for the online version

 

QNAP Security Advisory | Bulletin ID: QSA-20-01

Taipei, Taiwan, June 5, 2020 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

Multiple Vulnerabilities in File Station

Release date: June 5, 2020
Security ID: QSA-20-01
Severity rating: High
CVE identifier: CVE-2018-19943 | CVE-2018-19949 | CVE-2018-19953
Affected products: All QNAP NAS

Summary

Three vulnerabilities have been reported to affect earlier versions of QTS.

  • CVE-2018-19943: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code.
  • CVE-2018-19949: If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands.
  • CVE-2018-19953: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code.

QNAP has already fixed these issues in the following QTS versions.

  • QTS 4.4.2.1270 build 20200410 and later
  • QTS 4.4.1.1261 build 20200330 and later
  • QTS 4.3.6.1263 build 20200330 and later
  • QTS 4.3.4.1282 build 20200408 and later
  • QTS 4.3.3.1252 build 20200409 and later
  • QTS 4.2.6 build 20200421 and later

Recommendation

To fix these vulnerabilities, we recommend updating QTS to the latest versions.

Important:

Regardless of which version of QTS you currently use, QNAP strongly recommends updating your QTS to the latest available version for your NAS model to ensure that your device can benefit from vulnerability fixes. You can check the product support status of your NAS model.

Installing the QTS Update

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

 

Acknowledgements: Independent Security Evaluators
Revision history: V1.0 (June 5, 2020) - Published

 

If you have any questions regarding this issue, please contact us at https://www.qnap.com/go/support-ticket/.

Copyright © 2020 QNAP Systems, Inc. All rights reserved.