Security ID : QSA-21-44
Command Injection Vulnerability in the Media Streaming Add-On
Release date : October 22, 2021
CVE identifier : CVE-2021-34362
Affected products: QNAP NAS running the Media Streaming add-on
Severity
Important
Status
Resolved
Summary
A command injection vulnerability has been reported to affect QNAP NAS running the Media Streaming add-on. If exploited, this vulnerability allows remote attackers to run arbitrary commands.
We have already fixed this vulnerability in the following versions of the Media Streaming add-on:
- QTS 5.0.0: Media Streaming add-on 500.0.0.3 (2021/08/20) and later
- QTS 4.5.4: Media Streaming add-on 500.0.0.3 (2021/08/20) and later
- QTS 4.3.6: Media Streaming add-on 430.1.8.12 (2021/08/20) and later
- QTS 4.3.3: Media Streaming add-on 430.1.8.12 (2021/09/29) and later
- QuTS hero h5.0.0: Media Streaming add-on 500.0.0.3 (2021/08/20) and later
- QuTS hero h4.5.4: Media Streaming add-on 500.0.0.3 (2021/08/20) and later
Recommendation
To fix the vulnerability, we recommend updating the Media Streaming add-on to the latest version.
Updating the Media Streaming Add-On
- Log on to QTS as administrator.
- Open the App Center and then click
.
A search box appears. - Type “Media Streaming add-on” and then press ENTER.
The Media Streaming add-on appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your Media Streaming add-on is already up to date. - Click OK.
The application is updated.
Acknowledgements: Tony Martin, a security researcher
Revision History: V1.0 (October 22, 2021) - Published
