Security ID : NAS-201811-22
Security Advisory for Vulnerabilities in QTS
Release date : November 22, 2018
CVE identifier : CVE-2018-14746 | CVE-2018-14747 | CVE-2018-14748 | CVE-2018-14749
Affected products: QTS 4.3.5: build 20181013 and earlier versions
QTS 4.3.4: build 20181008 and earlier versions
QTS 4.3.3: build 20180829 and earlier versions
QTS 4.2.6: build 20180829 and earlier versions
Severity
Critical
Status
Resolved
Summary
Four vulnerabilities affecting different versions of QTS have recently been reported. Below are details for each CVE.
- CVE-2018-14746: If exploited, this vulnerability could allow remote attackers to run arbitrary commands on the NAS.
- CVE-2018-14747: If exploited, this vulnerability could allow remote attackers to crash the NAS media server.
- CVE-2018-14748: If exploited, this vulnerability could allow remote attackers to power off the NAS.
- CVE-2018-14749: If exploited, this buffer overflow vulnerability could have unspecified impact on the NAS.
We have fixed these issues in following QTS versions:
- QTS 4.3.5: build 20181110 and later
- QTS 4.3.4: build 20181026 and later
- QTS 4.3.3: build 20181029 and later
- QTS 4.2.6: build 20181026 and later
Recommendation
To resolve the issue, you must update your QTS to the latest version.
Installing the QTS Update
- Log on to QTS as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Acknowledgements: Ori Hollander of VDOO
Revision History: V1.0 (November 22, 2018) - Published
