QNAP Systems, Inc. - Network Attached Storage (NAS)

Language
Back to Security Advisory List

Security Advisory for Buffer Overflow Vulnerabilities in QTS

  • Release date: December 15, 2017
  • Security ID: NAS-201712-15
  • Severity: High
  • CVE identifier: CVE-2017-17027 | CVE-2017-17028 | CVE-2017-17029 | CVE-2017-17030 | CVE-2017-17031 | CVE-2017-17032 | CVE-2017-17033
  • Affected products:
    • For QTS 4.2.6: 4.2.6 build 20171026 and earlier
    • For QTS 4.3.3: 4.3.3.0378 build 20171117 and earlier
    • For QTS 4.3.4: 4.3.4.0387 (Beta 2) build 20171116 and earlier

Summary

Multiple buffer overflow vulnerabilities were recently found in QTS 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 (Beta 2) build 20171116 and earlier. If exploited, these vulnerabilities may allow remote attackers to run arbitrary code on NAS devices.

We have already patched these vulnerabilities in the following QTS versions:

  • 4.2.6 build 20171208
  • 4.3.3.0396 build 20171205 and later
  • 4.3.4.0411 (Beta 3) build 20171208 and later

Recommendations

To resolve the issue, you must update QTS to the following versions:

  • For QTS 4.2.6: 4.2.6 build 20171208
  • For QTS 4.3.3: 4.3.3.0396 build 20171205 and later
  • For QTS 4.3.4: 4.3.4.0411 (Beta 3) build 20171208 and later

An exploit of one of these vulnerabilities has been made public. We strongly recommend users to update QTS as soon as possible.

Updating QTS

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS downloads and installs the latest available update.

Acknowledgements:
• Security researcher @nervoir, together with vulnerability researchers from Trend Micro Zero-Day Initiative (ZDI), disclosed these vulnerabilities.
• A security researcher from TRUEL IT disclosed CVE-2017-17033 through Beyond Security’s SecuriTeam Secure Disclosure program.

Revision History:
• V 1.1 (January 3, 2018) - Updated recommendations
• V1.0 (December 15, 2017) - Published