Security Advisory for Command Injection Vulnerability in LDAP Server

Summary

A command injection vulnerability was recently found in LDAP Server of several earlier QTS versions. Once exploited, this vulnerability could allow remote attackers to run arbitrary commands or install malware on the NAS. Attacks that leverage this vulnerability are known to affect File Station.

We have already fixed this issue in the following QTS versions.

• QTS 4.2.6: build 20180504 and later
• QTS 4.3.3: build 20180504 and later
• QTS 4.3.4: build 20180501 and later

Recommendation

To fix these vulnerabilities, we recommend updating QTS to the latest version.

Afterwards, you may run Malware Remover version 2.4.0 or later to remove any possible threats from your NAS.

Installing the QTS Update

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS downloads and installs the latest available update.

Removing Malware Using Malware Remover version 2.4.0 or later

1. Log on to QTS as administrator.
2. Open the App Center, and then click the Search icon.
   A search box appears.
3. Type “Malware Remover”, and then press ENTER.
   The Malware Remover application appears in the search results list.
   
   • Perform one of the following actions.
   • If you have Malware Remover installed, click Update.
4. If you do not have Malware Remover installed, click Install.
   A confirmation message appears.
5. Click OK.
   QTS downloads and installs the latest available update.
   Malware Remover automatically scans the NAS and removes all related threats.