Security ID : NAS-201806-01
Security Advisory for Proxy Server Vulnerabilities
Release date : June 1, 2018
CVE identifier : CVE-2017-7635 | CVE-2017-7636 | CVE-2017-7637| CVE-2017-7639
Affected products: Proxy Server versions 1.2.0 and earlier
Severity
Critical
Status
Resolved
Summary
Four vulnerabilities were reported on Proxy Server versions 1.2.0 and earlier. We have listed information on each vulnerability below.
- CVE-2017-7635: This cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unwanted actions through a web application.
- CVE-2017-7636: This cross-site scripting (XSS) vulnerability could allow remote attackers to inject Javascript code in the application.
- CVE-2017-7637: If exploited, this vulnerability could allow remote attackers to run arbitrary OS commands on the NAS.
- CVE-2017-7639: This vulnerability does not authenticate requests properly. If exploited, it could allow attackers to change Proxy Server settings.
We have fixed these issues in Proxy Server versions 1.3.0 and later.
For x31 and x31U models, we have fixed these issues in Proxy Server versions 1.2.1 and later.
Recommendation
To resolve the issue, you must update Proxy Server to version 1.3.0 or later.
For users with x31 and x31U models, you must update Proxy Server to version 1.2.1 or later.
Upgrading to the latest Proxy Server version
- Log on to QTS as administrator.
- Open the App Center, and then click the Search icon.
A search box appears. - Type "Proxy Server", and then press ENTER.
- The Proxy Server application appears in the search results list.
Click Update. - A confirmation message appears.
Click OK. - The application is updated.
Acknowledgements: Tony Martin, information security researcher
Revision History: V1.0 (June 01, 2018) - Published
