Security ID : NAS-201803-23
Security Advisory for Vulnerabilities in QTS
Release date : March 23, 2018
CVE identifier : CVE-2017-7629 | CVE-2017-7630 | CVE-2017-7631 | CVE-2017-7632
Affected products: QTS 4.2.6: build 20171026 and earlier versions
QTS 4.3.3: build 20170727 and earlier versions
Severity
Important
Status
Resolved
Summary
Four vulnerabilities affecting different versions of QTS have recently been reported. Below are details for each CVE.
- CVE-2017-7629: This vulnerability allows any QTS user to bypass password verification steps when changing their own password.
- CVE-2017-7630: This vulnerability allows remote attackers to access sensitive information on the NAS.
- CVE-2017-7631: This cross-site scripting (XSS) vulnerability allows remote attackers to inject malicious code in the compromised application.
- CVE-2017-7632: This cross-site scripting (XSS) vulnerability allows remote attackers to inject malicious code in the compromised application.
We have already fixed these issues in the following QTS versions.
- QTS 4.2.6: build 20171208 and later
- QTS 4.3.3: build 20170901 and later
Recommendation
To fix these vulnerabilities, you must update QTS to the following versions.
- QTS 4.2.6: build 20171208 or later
- QTS 4.3.3: build 20170901 or later
Installing the QTS Update
- Log on to QTS as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download and then perform a manual update.
Acknowledgements: Tony Martin, information security researcher
Revision History: V1.0 (March 23, 2018) - Published
