Qnap has recently released a safety renewal to address several vulnerabilities, including three critical ones. Users are strongly advised to apply the necessary corrections to mitigate any potential risks.
One of the notable vulnerabilities was discovered in the NOTES Station 3 application used in NAS systems. The vulnerability identified as CVE-2024-38643 with a CVSS rating of 9.3, allows attackers to gain unauthorized access and execute system functions without prior authorization. Another critical flaw, CVE-2024-38645 (CVSS: 9.4), involves server-side request forgery (SSRF) that could potentially lead to a data leak. These vulnerabilities have been addressed in version 3.9.7 of the application.
In the Qurouter router version 2.4.x, a critical vulnerability CVE-2024-48860 (CVSS 9.5) was identified, allowing remote attackers to execute commands on the system. The fix for this issue is available in version 2.4.3.106, which also resolves a less severe flaw CVE-2024-48861 (CVSS: 7.3).
Additionally, vulnerabilities CVE-2024-38644 (CVSS: 8.7) and CVE-2024-38646 (CVSS: 8.4) were identified, involving the execution of commands and access to data, requiring user consideration. Both vulnerabilities have a CVSS threat rating of 8.7 and 8.4, respectively.
Furthermore, updates have also been made to Qnap Ai Core, QULOG Center, QTS, and QUTS Hero operating systems. Some of the key updates include: