Multiple Vulnerabilities in QTS, QuTS hero and QuTScloud

Summary

Multiple vulnerabilities have been reported to affect several QNAP operating system versions. If exploited, the OS command injection vulnerabilities could allow users to execute commands via a network.

We have already fixed the vulnerabilities in the following versions.

To fully fix the vulnerabilities, you must install one of the fully fixed versions.

If you do not want to install a fully fixed version for your device, you can still mitigate the vulnerabilities by installing a partially fixed version. However, note that the vulnerabilities still exist during the installation process of a partially fixed version. The vulnerabilities only disappear after installation is complete.

Recommendation

To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

Mitigation

If you do not want to update your operating system to the latest version, you can perform the following actions to mitigate the vulnerabilities.

1. Test the following URL in your browser:
   
        https://<NAS IP address>:<NAS system port>/cgi-bin/quick/quick.cgi
    
   • If you get the following response (HTTP 404 error), your system is not vulnerable:
          "Page not found or the web server is currently unavailable. Please contact the website administrator for help."
   • If you get an empty page (HTTP 200), continue to the next step.
      
2. Update your operating system to one of the following versions or later:
    
   • QTS 5.1.0.2444 build 20230629 and later
   • QTS 5.0.1.2145 build 20220903 and later
   • QTS 5.0.0.1986 build 20220324 and later
   • QTS 4.5.4.2012 build 20220419 and later
   • QTS 4.3.6.2665 build 20240131 and later
   • QTS 4.3.4.2675 build 20240131 and later
   • QTS 4.3.3.2644 build 20240131 and later
   • QTS 4.2.6 build 20240131 and later
   • QuTS hero h5.1.0.2466 build 20230721 and later
   • QuTS hero h5.0.1.2192 build 20221020 and later
   • QuTS hero h5.0.0.1986 build 20220324 and later
   • QuTS hero h4.5.4.1991 build 20220330 and later
       
3. Test the above URL again in your browser.
   • If you get the following response (HTTP 404 error), your system is now free from the vulnerabilities:
          "Page not found or the web server is currently unavailable. Please contact the website administrator for help."
   • If you get an empty page (HTTP 200), please update firmware immediately.

Updating QTS, QuTS hero, or QuTScloud

1. Log in to QTS, QuTS hero, or QuTScloud as an administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   The system downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.