Critical CRLF Injection and Command Injection Vulnerabilities in QNAP Systems

ISGroup Cybersecurity

QNAP has identified and resolved critical vulnerabilities in its License Center and QTS/QuTS hero operating systems. These include CRLF Injection and Command Injection vulnerabilities that pose significant security risks. Public analyses reveal that over 4 million QNAP assets are exposed online, highlighting the urgency of addressing these vulnerabilities. Attackers exploiting these flaws can execute arbitrary commands or manipulate application data, potentially compromising system integrity and confidentiality.

ProductQNAP Turbo NAS
Date2024-12-13 17:14:24
Information
  • Trending
  • Fix Available

Technical Summary

  1. Command Injection Vulnerability (CVE-2024-48863):

    • Affected component: License Center (versions 1.9.x)
    • Severity: High (CVSS 7.7)
    • Impact: Remote attackers can execute arbitrary commands, gaining full control of the system.
  2. CRLF Injection Vulnerabilities (CVE-2024-48867, CVE-2024-48868):

    • Affected component: QTS and QuTS hero
    • Severity: High
    • Impact: Remote attackers can modify application data by exploiting improper handling of CRLF (Carriage Return and Line Feed) sequences, potentially causing unexpected system behavior or data manipulation.
  3. Command Injection Vulnerability (CVE-2024-50393):

    • Affected component: QTS and QuTS hero
    • Severity: Critical (CVSS 8.7)
    • Impact: Remote attackers can execute arbitrary commands, allowing for total compromise of the affected systems.

Recommendations

  1. Immediate Updates:

    • License Center: Update to version 1.9.43 or later to mitigate CVE-2024-48863.
    • QTS and QuTS hero: Update to the latest available versions to resolve CVE-2024-48867, CVE-2024-48868, and CVE-2024-50393.
  2. System Hardening:

    • Restrict access to QNAP devices to trusted IP ranges.
    • Disable unnecessary services to reduce the attack surface.

[Callforaction-THREAT-Footer]