Security ID : NAS-201908-06
Security Advisory for Access Control on QTS
Release date : August 6, 2019
CVE identifier : CVE-2019-7189 | CVE-2019-7190 | CVE-2019-7191
Affected products: All QNAP NAS running QTS 4.3.6 and earlier versions
Severity
Important
Status
Resolved
Summary
Some reported QTS vulnerabilities may affect QNAP NAS devices running QTS 4.2.6 and earlier versions. Below are the details for each CVE.
- CVE-2019-7189: If exploited, the vulnerability can be used to modify user account information.
- CVE-2019-7190: If exploited, the vulnerability can be used to inject unexpected content through XML code.
- CVE-2019-7191: If exploited, the vulnerability can be used to inject unexpected parameters to system files.
We have already fixed these issues in the following QTS versions:
- QTS 4.4.1: build 20190626 and later
- QTS 4.4.0: build 20190627 and later
- QTS 4.3.6: build 20190704 and later
- QTS 4.3.4: build 20190701 and later
- QTS 4.3.3: build 20190629 and later
- QTS 4.2.6: build 20190629 and later
Recommendation
To fix these vulnerabilities, we recommend updating QTS to the latest version.
Installing the QTS Update
- Log on to QTS as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
Revision History: V1.0 (August 6, 2019) - Published
