Security Vulnerabilities Addressed in QTS 4.2.4 Build 20170313

Summary

QTS 4.2.4 Build 20170313 includes security fixes for the following vulnerabilities:

• Configuration file vulnerability (CVE-2017-5227) reported by Pasquale Fiorillo of the cyber security company, ISGroup (www.isgroup.biz), a cyber security company, and Guido Oricchio of PCego (www.pcego.com), a system integrator
• SQL injection, command injection, heap overflow, cross-site scripting, and three stack overflow vulnerabilities reported by Peter Kostiuk, a security researcher at Salesforce.com
• Three command injection vulnerabilities (CVE-2017-6361, CVE-2017-6360, and CVE-2017-6359) reported by Harry Sintonen of F-Secure
• Access control vulnerability that would incorrectly restrict authorized user access to resources
• Two stack overflow vulnerabilities that could be exploited to execute malicious codes reported by Oliver Gruskovnjak, Security Researcher (Salesforce.com)
• Clickjacking vulnerability that could be exploited to trick users into clicking malicious links
• Missing HttpOnly Flag From Cookie vulnerability that could be exploited to steal session cookies
• SNMP Agent Default Community Name vulnerability that could be exploited to gain access to the system using the default community string
• NMP credentials in clear text vulnerability that could be exploited to steal user credentials
• LDAP anonymous directory access vulnerability that could be exploited to allow anonymous connections

Solution

To fix these security vulnerabilities, install QTS 4.2.4 Build 20170313.

Installing the Update

1. Log in as an administrator on your QNAP NAS.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.

Tip: You can also download the build from the QNAP website. Go to Support > Download and then perform a manual update.

 

If you have any questions regarding this issue, please contact us at http://helpdesk.qnap.com/