Search

Security ID : NAS-201911-20

Security Advisory for Vulnerabilities in Helpdesk, Music Station, and File Station

  • Release date : November 20, 2019

  • CVE identifier : CVE-2018-0728 | CVE-2018-0729 | CVE-2018-0730

  • Affected products: QNAP NAS devices

Severity

Important

Status

Resolved

Summary

Three vulnerabilities are reported to affect all versions of Helpdesk, Music Station, and File Station.

  • CVE-2018-0728: This improper access control vulnerability in Helpdesk allows attackers to access the system logs.
  • CVE-2018-0729: This command injection vulnerability in Music Station allows attackers to execute commands on the affected device.
  • CVE-2018-0730: This command injection vulnerability in File Station allows attackers to execute commands on the affected device.

QNAP has fixed these issues in the following software versions.

Helpdesk:

  • All QTS versions: Helpdesk 3.0.0 and later

Music Station:

  • QTS 4.4.1: Music Station 5.3.5 and later
  • QTS 4.3.6: Music Station 5.2.7 and later
  • QTS 4.3.4: Music Station 5.1.11 and later
  • QTS 4.3.3: Music Station 5.1.11 and later
  • QTS 4.2.6: Music Station 4.8.8 and later

File Station:

  • QTS 4.4.1: build 20190918 and later
  • QTS 4.3.6: build 20190328 and later
  • QTS 4.3.4: build 20190325 and later
  • QTS 4.3.3: build 20190325 and later
  • QTS 4.2.6: build 20190325 and later

Recommendation

To fix these vulnerabilities, we recommend updating QTS, Helpdesk and Music Station to their latest versions.

Important:

Regardless of which version of QTS you currently use, QNAP strongly recommends updating your QTS to the latest available version for your NAS model to ensure that your device can benefit from vulnerability fixes. You can check the product support status of your NAS model.

Installing the QTS Update

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Updating Helpdesk

  1. Log on to QTS as administrator.
  2. Open the App Center, and then click.
    A search box appears.
  3. Type “Helpdesk”, and then press ENTER.
    The Helpdesk application appears in the search results.
  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if you are using the latest version.
  5. Click OK.
    The application is updated.

Updating Music Station

  1. Log on to QTS as administrator.
  2. Open the App Center, and then click .
    A search box appears.
  3. Type “Music Station”, and then press ENTER.
    The Music Station application appears in the search results.
  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if you are using the latest version.
  5. Click OK.
    The application is updated.

 

Acknowledgements: CyCarrier CSIRT

Revision History: V1.0 (November 20, 2019) - Published

Wählen Sie die Spezifikation

      Mehr anzeigen Weniger

      Diese Seite in anderen Ländern / Regionen:

      open menu
      back to top