Critical Authentication Bypass Flaw in QNAP NAS Devices Prompts Warning


QNAP, a Taiwanese Network Attached Storage (NAS) device manufacturer, has issued warnings about vulnerabilities affecting its NAS software products, namely QTS, QuTS hero, QuTScloud, and myQNAPcloud. These vulnerabilities could potentially grant unauthorized access to devices.

The disclosed vulnerabilities encompass three critical issues: an authentication bypass (CVE-2024-21899), a command injection flaw (CVE-2024-21900), and an SQL injection vulnerability (CVE-2024-21901). While the latter two require authenticated access, the first vulnerability can be exploited remotely without authentication, albeit with low complexity.

The impact spans various versions of QNAP's operating systems, including QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and myQNAPcloud 1.0.x service. To address these vulnerabilities, users are urged to update to specific versions:

  • QTS build 20231110 and later
  • QTS build 20231225 and later
  • QuTS hero h5.1.3.2578 build 20231110 and later
  • QuTS hero h4.5.4.2626 build 20231225 and later
  • QuTScloud c5.1.5.2651 and later
  • myQNAPcloud 1.0.52 (2023/11/24) and later

To perform the updates for QTS, QuTS hero, and QuTScloud, users should log in as administrators, navigate to 'Control Panel > System > Firmware Update,' and click 'Check for Update' to initiate the automatic installation process. For myQNAPcloud, users should log in as admin, access the 'App Center,' search for "myQNAPcloud," and click 'Update.'

The article highlights the susceptibility of NAS devices to cyber threats due to their storage of valuable data and continuous connectivity to the internet. Notably, ransomware operations like DeadBolt, Checkmate, and Qlocker have previously targeted QNAP devices, often exploiting zero-day vulnerabilities to compromise fully patched systems.

To mitigate risks, NAS owners are advised to keep their software updated and refrain from exposing these devices to the internet unnecessarily. Proactive measures in updating firmware and limiting internet exposure can help safeguard against potential breaches and data loss.