Security ID : NAS-201809-20
Security Advisory for Vulnerabilities in QTS
Release date : September 20, 2018
CVE identifier : CVE-2018-0719 | CVE-2018-0721
Affected products: QTS 4.2.6: build 20180711 and earlier versions
QTS 4.3.3: build 20180725 and earlier versions
QTS 4.3.4: build 20180710 and earlier versions
Severity
Critical
Status
Resolved
Summary
Two vulnerabilities in QTS were found recently:
- CVE-2018-0719: If exploited, this vulnerability could let attackers perform cross-site scripting attacks, allowing them to inject javascript code.
- CVE-2018-0721: If exploited, this buffer overflow vulnerability could allow attackers to run arbitrary code on NAS devices.
We have already fixed these issues in the following QTS versions.
- QTS 4.2.6: build 20180829 and later
- QTS 4.3.3: build 20180810 and later
- QTS 4.3.4: build 20180810 and later
Recommendation
To fix these vulnerabilities, we recommend updating QTS to the latest version.
Installing the QTS Update
- Log on to QTS as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Acknowledgements: CVE-2018-0719: Davide Cioccia, security researcher
CVE-2018-0721: Yuki, security researcher
Revision History: V1.0 (September 20, 2018) - Published
