This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. To fix the vulnerability, QNAP recommend updating QTS to their latest versions.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Qts | Qnap | 4.3.6.0895 (including) | 4.3.6.0895 (including) |
| Qts | Qnap | 4.3.6.0907 (including) | 4.3.6.0907 (including) |
| Qts | Qnap | 4.3.6.0923 (including) | 4.3.6.0923 (including) |
| Qts | Qnap | 4.3.6.0944 (including) | 4.3.6.0944 (including) |
| Qts | Qnap | 4.3.6.0959 (including) | 4.3.6.0959 (including) |
| Qts | Qnap | 4.3.6.0979 (including) | 4.3.6.0979 (including) |
| Qts | Qnap | 4.3.6.0993 (including) | 4.3.6.0993 (including) |
| Qts | Qnap | 4.3.6.1013 (including) | 4.3.6.1013 (including) |
| Qts | Qnap | 4.3.6.1033 (including) | 4.3.6.1033 (including) |
| Qts | Qnap | 4.4.1.0948-beta (including) | 4.4.1.0948-beta (including) |
| Qts | Qnap | 4.4.1.0949-beta (including) | 4.4.1.0949-beta (including) |
| Qts | Qnap | 4.4.1.0978-beta_2 (including) | 4.4.1.0978-beta_2 (including) |
| Qts | Qnap | 4.4.1.0998-beta_3 (including) | 4.4.1.0998-beta_3 (including) |
| Qts | Qnap | 4.4.1.0999-beta_3 (including) | 4.4.1.0999-beta_3 (including) |
| Qts | Qnap | 4.4.1.1031-beta_4 (including) | 4.4.1.1031-beta_4 (including) |
| Qts | Qnap | 4.4.1.1033-beta_4 (including) | 4.4.1.1033-beta_4 (including) |
References
- http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
- https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
- http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
- https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7193