Critical OS Command Injection Vulnerability Patched in Several QNAP NAS Operating Systems

CVECVE-2023-23368
CVSScvssV3_1: 9.8
SourceCVE-2023-23368

QNAP, a popular network attached storage (NAS) manufacturer, has addressed a serious OS command injection vulnerability impacting multiple versions of their operating systems.

The vulnerability could allow a remote attacker to execute arbitrary commands on affected NAS devices via a network request. By injecting operating system commands into an exposed API or application, an attacker may be able to gain full control of the NAS and compromise any data stored on it.

Command injection bugs occur when user-supplied input is not properly sanitized before being used to run operating system commands. In this case, the vulnerability was located in how certain QNAP operating systems handled network requests.

QNAP has released patches for QTS 5.0.1.2376, QTS 4.5.4.2374, QuTS hero h5.0.1.2376, QuTS hero h4.5.4.2374 and QuTScloud c5.0.1.2374 to address this vulnerability. Users are strongly advised to update their NAS devices immediately to the latest firmware version to protect themselves against any potential attacks.

Keeping your NAS up-to-date with the latest security patches is one of the best ways to stay protected. Users should also consider changing default credentials and enabling additional layers of authentication like two-factor authentication where possible. Taking basic precautions can go a long way in safeguarding your important data stored on network devices.

References