November 6, 2023 By Bill Toulas
QNAP Systems published security advisories for two critical command injection vulnerabilities that impact multiple versions of the QTS operating system and applications on its network-attached storage (NAS) devices.
The first flaw is being tracked as CVE-2023-23368 and has a critical severity rating of 9.8 out of 10. It is a command injection vulnerability that a remote attacker can exploit to execute commands via a network.
QTS versions affected by the security issue are QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1.
Fixes are available in the following releases:
- QTS 5.0.1.2376 build 20230421 and later
- QTS 4.5.4.2374 build 20230416 and later
- QuTS hero h5.0.1.2376 build 20230421 and later
- QuTS hero h4.5.4.2374 build 20230417 and later
- QuTScloud c5.0.1.2374 and later
The second vulnerability is identified as CVE-2023-23369 and has a lower severity rating of 9.0 and could also be exploited by a remote attacker to the same effect as the previous one.
Impacted QTS versions include 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x, Multimedia Console 2.1.x and 1.4.x, and Media Streaming add-on 500.1.x and 500.0.x.
Fixes are available in:
- QTS 5.1.0.2399 build 20230515 and later
- QTS 4.3.6.2441 build 20230621 and later
- QTS 4.3.4.2451 build 20230621 and later
- QTS 4.3.3.2420 build 20230621 and later
- QTS 4.2.6 build 20230621 and later
- Multimedia Console 2.1.2 (2023/05/04) and later
- Multimedia Console 1.4.8 (2023/05/05) and later
- Media Streaming add-on 500.1.1.2 (2023/06/12) and later
- Media Streaming add-on 500.0.0.11 (2023/06/16) and later