.png)
3 hours ago
4 BOOK THIS SPACE FOR AD
ARTICLE ADTaiwanese NAS maker QNAP addressed 24 vulnerabilities across various products over the weekend.
The flaws include two critical and nine "high" severity vulnerabilities, potentially resulting in code execution, file read/write, authentication bypass, information disclosure, and elevation of privileges.
QNAP's Notes Station 3 (versions 3.9.x), a collaborative note-taking and sharing app, was arguably affected the worst, with both critical bugs localized to the product, as well as two other high-severity issues.
A range of other QNAP products were also among those affected by the flaws, including Photo Station, AI Core, QuLog Center, QuRouter, Media Streaming Add-on, QTS and QuTS hero.
The previous series of operating system versions for both QTS and QuTS hero – the OSes for the entry and mid-level NAS devices and the high-end and enterprise-level devices – also appear to be vulnerable to older OpenSSH flaws.
Both QTS (5.1.x) and QuTS hero (h5.1.x) were found to be vulnerable to CVE-2023-38408, CVE-2021-41617, and CVE-2020-14145. If upgrading to the 5.2 series isn't an option, there are some fixes available for the 5.1 series, according to the vendor's advisory.
The patches were released on November 23, a Saturday, but we're sure that wasn't to ensure they flew under the radar. Regardless, we asked QNAP about why it chose to disclose them all on Saturday and we'll update the article if it responds.
The vendor was forced to pull a QTS firmware update last week following a flurry of user reports that their NAS devices, once updated, suffered various malfunctions.
QNAP told The Register: "We recently released the QTS 5.2.2.2950 build 20241114 operating system update and received feedback from some users reporting issues with device functionality after installation.
"In response, QNAP promptly withdrew the operating system update, conducted a comprehensive investigation, and re-released a stable version of QTS 5.2.2.2950 build 20241114 within 24 hours."
Veritas's snail-paced patches
On the topic of weekend disclosures, a series of CVEs were published by the National Vulnerability Database on November 24, a Sunday, regarding previously disclosed bugs by enterprise data management biz Veritas.
Each of the seven vulnerabilities was given a preliminary 9.8 (critical) severity rating by MITRE using the CVSSv3 system and they all affect Veritas Enterprise Vault, the company's email archiving and enterprise data retention platform.
The CVEs are:
They were all reported to the vendor in July by researcher Sina Kheirkhah, via the Zero-Day Initiative (ZDI). A November 21 deadline to fix the issues applied to all the vulnerabilities – a deadline that has now passed.
Russian spies may have moved in next door to target your network 1,000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole Here's what happens if you don't layer network security – or remove unused web shells 'Alarming' security bugs lay low in Linux's needrestart utility for 10 yearsVeritas originally disclosed the bugs – without CVEs – on November 15, along with a mitigation. It said it plans to patch them all in version 15.2 of the platform, the general availability of which is expected in Q3 2025.
As for why patching will take so long, we have no idea. We asked the vendor for answers and it promised to get them over to us quickly.
What we do know is that the vulnerabilities are all related to how the product handles the deserialization of untrusted data sent over a .NET Remoting TCP port.
"On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications," Veritas's advisory reads.
"These TCP ports can be exploited due to vulnerabilities that are inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server."
Successful exploitation can lead to code execution that could in turn lead to an attacker taking control of affected systems.
There are a few conditions that must be met for servers to be vulnerable. An attacker would need to have the necessary privileges to establish an RDP connection to a vulnerable server. This means they would need to be part of the RDP user group and know specific details, including the server's IP address, process IDs, dynamic TCP ports, and remotable object URIs.
A successful attack would also hinge on an improperly configured firewall on the server.
All currently supported versions are vulnerable and legacy versions may be too. The mitigation is outlined in the advisory and given the many monoths it's going to take for patches to be released, it's a good idea to get it applied. ®
Bengali (Bangladesh) · 
English (United States) ·