We will be happy to advise you!

Hotline:
+49 (0) 40 38 90 710

E-mail:
info@secion.de

Contact form

QNAP releases firmware patches for 9 vulnerabilities in video surveillance systems and NAS devices

by

Reading time: minutes ( words)
QNAP closes security holes - Patch your firmware now!

Taiwanese manufacturer QNAP has released a series of security updates for vulnerabilities, including one that the company classifies as critical.

"A vulnerability has been reported that affects QNAP VS Series NVR with QVR," QNAP said in a statement. "If this vulnerability is exploited, remote attackers can execute arbitrary commands." The VS Series NVR video surveillance system and various models of network-attached storage (NAS) devices are affected. QNAP administrators should apply the provided updates promptly.

The latest vulnerability in the video surveillance system is listed as CVE-2022-27588 (CVSS score: 9.8) and has been fixed in QVR 5.1.6 build 20220401 and higher.

QNAP is also fixing other vulnerabilities rated as "medium" and "high" in the operating system and software of NAS devices: The QTS, QuTS hero and QuTScloud systems as well as Photo Station and Video Station are affected. Attackers could execute their own commands on the devices and compromise the security of systems.

The manufacturer's warning messages linked below contain information about the secured versions of all affected devices:

Vulnerability in QVR:

  • CVE-2022-27588 (CVSS score: 9.8).

This critical vulnerability has been fixed in QVR 5.1.6 build 20220401 and above. It was reported by the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). It is considered to be particularly severe because the vulnerability can be used to inject malicious code onto the system.


Recommended action:

In its warning message, the company itself classifies this vulnerability as critical. Attackers could remotely load malicious code onto affected devices. Please make sure that your devices are not affected and perform the recommended updates.

Path traversal vulnerability in thttpd:

  • CVE-2021-38693 (CVSS score: 5.3)

A path traversal vulnerability in thttpd affecting QNAP devices running QTS, QuTS hero, QuTScloud, and QVR Pro Appliance resulting in information disclosure.

Vulnerability in Photo Station:

  • CVE-2021-44057 (CVSS score: 7.1)

An authentication vulnerability in QNAP devices running Photo Station that could lead to system compromise.

Multiple vulnerabilities in QTS, QuTS hero, and QuTScloud:

  • CVE-2021-44051 (CVSS score: 8.8)

A vulnerability in QNAP devices running QTS, QuTS hero, and QuTScloud that allows execution of arbitrary commands.

  • CVE-2021-44052 (CVSS score: 6.5)

Improper link resolution before file access ("link following") in QNAP devices running QTS, QuTS hero, and QuTScloud, allowing attackers to read/write files in arbitrary locations.

  • CVE-2021-44053 (CVSS score: 5.7)

A cross-site scripting (XSS) vulnerability in QNAP devices running QTS, QuTS hero, and QuTScloud that leads to code injection.

  • CVE-2021-44054 (CVSS score: 4.3).

An open redirection vulnerability in QNAP devices running QTS, QuTS hero, and QuTScloud that allows redirecting users to rogue websites.

Multiple vulnerabilities in Video Station:

  • CVE-2021-44055 (CVSS score: 5.3).

A missing authorization vulnerability in QNAP devices running Video Station that allows attackers to access data or perform unauthorized actions

  • CVE-2021-44056 (CVSS score: 7.1)

An unauthorized authentication vulnerability in QNAP devices running Video Station, which could lead to system compromise

The required updates are available in QNAP's download center.

Need help upgrading your IT security for 2022? Contact us!

By clicking on the "Submit" button, you confirm that you have read our privacy policy. You give your consent to the use of your personal data for the purpose of contacting you by Allgeier secion, Zweigniederlassung der Allgeier CyRis GmbH.

* Mandatory field

Go back

Related articles

QakBot malware: Warning of increasing attacks

Warning of rising attacks with QakBot malware

For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).

New ransomware trend: Why criminals increasingly rely on intermittent encryption

Intermittent encryption: the new ransomware trend

Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.

secion's assessment of the security threats to companies following the outbreak of the war in Ukraine

How the Ukraine war affects corporate IT security

Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.