[ad_1]
NAS vendor QNAP Methods has urgently issued patches for no fewer than 24 vulnerabilities throughout its product vary, together with two high-severity flaws that might allow command execution.
Regardless of the severity of those vulnerabilities, QNAP has not reported any cases of those bugs being exploited within the wild. The Taiwan-based agency’s transfer is extra of a proactive measure in opposition to probably extremely damaging exploits.
Based on Safety Week, essentially the most regarding vulnerabilities, known as CVE-2023-45025 and CVE-2023-39297, are OS command injection flaws. These flaws are current in QTS variations 5.1.x and 4.5.x, QuTS hero variations h5.1.x and h4.5.x, and QuTScloud model 5.x. The primary of those may be manipulated by customers to execute instructions throughout a community below sure system configurations, whereas the second requires authentication for profitable exploitation.
Patch now!
QNAP has additionally launched patches for 2 extra vulnerabilities, CVE-2023-47567 and CVE-2023-47568. These remotely exploitable flaws are current in QTS, QuTS hero, and QuTScloud and require administrator authentication for profitable exploitation. The previous is an OS command injection, whereas the latter is an SQL injection vulnerability.
All 4 of those safety defects have been addressed within the newest QTS, QuTS hero, and QuTScloud variations. One other high-severity vulnerability, CVE-2023-47564, affecting Qsync Central variations 4.4.x and 4.3.x, has additionally been patched. This bug may enable authenticated customers to learn or modify vital assets over a community.
Along with these high-severity flaws, QNAP has patched a number of medium-severity vulnerabilities that might result in code execution, DoS assaults, command execution, restrictions bypass, leakage of delicate information, and code injection.
For extra detailed data on these vulnerabilities, customers are suggested to go to QNAP’s safety advisories web page.
Extra from TechRadar Professional
[ad_2]
Source link
