Security ID : QSA-21-09
DNSpooq Vulnerabilities in QTS
Release date : July 1, 2021
CVE identifier : CVE-2020-25684 | CVE-2020-25685 | CVE-2020-25686
Affected products: Certain QNAP NAS
Severity
Moderate
Status
Resolved
Summary
DNSpooq vulnerabilities—including DNS cache poisoning and buffer overflow vulnerabilities—have been reported to affect certain versions of QTS. If exploited, these vulnerabilities allow attackers to perform remote code execution.
QNAP has already fixed these vulnerabilities in the following versions:
- QTS 4.5.3.1652 build 20210428 and later
- QuTS hero h4.5.3.1670 build 20210515 and later
- QuTScloud c4.5.5.1656 build 20210503 and later
Recommendation
To secure your device, we recommend regularly updating QTS and all installed applications to their latest versions to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.
Updating QTS
- Log on to QTS as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
Updating All Installed Applications
- Log on to QTS as administrator.
- Go to App Center.
- Select My Apps.
- Next to Install Updates, click All.
A confirmation message appears. - Click OK.
QTS updates all your installed applications to their latest versions.
Revision History: V1.0 (July 1, 2021) - Published
