Security Advisory for Media Streaming Add-On

Summary

Four vulnerabilities were reported on Media Streaming Add-On versions 421.1.0.2, 430.1.2.0, and earlier. We have listed information on each vulnerability below.

• CVE-2017-7634: This cross-site scripting (XSS) vulnerability allows remote attackers to inject malicious code in the application.
• CVE-2017-7638: This vulnerability does not allow proper authentication of requests. If attackers are able to successfully exploit this flaw, they may gain access to sensitive information stored in the NAS or change its settings.
• CVE-2017-7640: If exploited, this vulnerability allows remote attackers to run arbitrary OS commands.
• CVE-2017-7641: This vulnerability allows cross-site request forgery (CSRF), where attackers may force NAS users to execute unwanted actions through a web application.

We have fixed these vulnerabilities in the following Media Streaming Add-On versions.

• QTS 4.3.3: Media Streaming Add-On 430.1.3.0 and later
• QTS 4.2.6: Media Streaming Add-On 421.1.0.3 and later

QTS versions 4.3.4 and later are not affected by these vulnerabilities.

Recommendation

To fix these vulnerabilities, you must first update QTS to the following builds.

• QTS 4.2.6 build 20170517 or later
• QTS 4.3.3 build 20170516 or later

You must then install one of the following Media Streaming Add-On updates.

• QTS 4.3.3: Media Streaming Add-On 430.1.3.0 or later
• QTS 4.2.6: Media Streaming Add-On 421.1.0.3 or later

Installing the QTS Update

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.

Tip: You can also download the update from the QNAP website. Go to Support > Download and then perform a manual update.

Installing the Media Streaming Add-On Update

1. Go to App Center > My Apps.
2. Click Media Streaming Add-On.
3. Click Update.

Note: The Update button is not available if you are using the latest version.