Security vulnerabilities addressed in QTS 4.2.1 Build 20160601

Summary

QTS

• Fixed multiple OpenSSL vulnerabilities (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176).
• Fixed multiple PHP vulnerabilities. (CVE-2016-4537, CVE-2016-4538, CVE-2016-4542, CVE-2016-4543, CVE-2016-4544, CVE-2016-3074, CVE-2016-4540, CVE-2016-4541, CVE-2016-4539).
• Fixed a GNU C Library vulnerability (CVE-2015-7547).
• Only a limited number of NAS models are affected. We recommend that TS-x31 and TS-x31+ series users update their devices to the latest firmware version.
• Fixed a cross-site scripting (XSS) vulnerability (only firmware versions prior to QTS 4.2.0 are affected).
  We would like to express our gratitude to Davide 'Peru' Peruzzi [GoSecure!] for discovering this issue.
• Fixed a cross-site scripting (XSS) vulnerability (CVE-2015-5664) associated with File Station (only firmware versions prior to QTS 4.2.0 are affected).
  We would like to express our gratitude to Keigo Yamazaki (LAC Co., Ltd.) for discovering this issue, and JPCERT/CC for their coordination effort.

QTS App

1. Fixed a Perl vulnerability.
2. Fixed three vulnerabilities (CVE-2015-6022, CVE-2015-6036, CVE-2015-7261) for Signage Station and one vulnerability (CVE-2015-7262) for iArtist Lite.
   The vulnerabilities are fixed in Signage Station v2.1.2.3 and iArtist Lite v1.4.167.0.
   You can apply the fix for Signage Station by updating it in the App Center. For iArtist Lite, the fix can be downloaded from http://download.qnap.com/Qsignage/iArtist_lite.zip
   For compatibility reasons, updating Signage Station requires updating iArtist Lite (and vice versa).
   We would like to express our gratitude to Mark Woods, a security consultant at Nettitude and long-time QNAP fan, for discovering these above issues.
3. Two critical vulnerabilities (CVE-2016-2324, CVE-2016-2315) have been discovered for Git and we have not received any fixes from the maintainer.
   Due to security concerns, this app will be removed from the App Center until a fix is received. We also recommend that users uninstall it until a fix is released.

Recommendations

To fix these security issues, log in to your NAS as an administrator, go to “Control Panel” > “Firmware Update”, and then choose to update your NAS with either a live or manual update. For instructions on how to update NAS firmware, see How to update your QNAP NAS’s firmware?

 

If you have any questions regarding this issue, please contact us at http://helpdesk.qnap.com/