Qnap Security Advisory Bulletin ID: QSA-20-17 ~ QSA-20-20

Qnap Systems, Inc. had published security enhancement vs. security vulnerabilities that could affect specific versions of company’s products. Following information and solutions to correct the security issues and vulnerabilities.

This advisory includes following:

• Multiple Vulnerabilities in QES (ID: QSA-20-17)

• Command Injection Vulnerability in QES (ID: QSA-20-18)

• Hard-coded Password Vulnerability in QES (ID: QSA-20-19)

• Command Injection Vulnerability in QTS and QuTS hero (ID: QSA-20-20)

Multiple Vulnerabilities in QES
Security ID: QSA-20-17
Release date: December 23, 2020
Severity: High
CVE identifier: CVE-2020-2503 | CVE-2020-2504 | CVE-2020-2505
Affected products: Qnap NAS running QES

Summary
Three vulnerabilities have been reported to affect earlier versions of QES. 

• CVE-2020-2503: If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station.

• CVE-2020-2504: If exploited, this absolute path traversal vulnerability could allow attackers to traverse files in File Station.

• CVE-2020-2505: If exploited, this vulnerability could allow attackers to gain sensitive information via generation of error messages.

Qnap has already fixed these issues in QES 2.1.1 Build 20201006 and later. Link

Command Injection Vulnerability in QES
Security ID: QSA-20-18
Release date: December 23, 2020
Severity: High
CVE identifier: CVE-2016-6903
Affected products: Qnap NAS running QES

Summary
A command injection vulnerability has been reported to affect earlier versions of QES. If exploited, this vulnerability could allow remote attackers to run arbitrary commands in Ishell.

Qnap has already fixed the issue in QES 2.1.1 Build 20201006 and later. Link

Hard-coded Password Vulnerability in QES
Security ID: QSA-20-19
Release date: December 23, 2020
Severity: High
CVE identifier: CVE-2020-2499
Affected products: Qnap NAS running QES

Summary
A hard-coded password vulnerability has been reported to affect earlier versions of QES. If exploited, this vulnerability could allow attackers to log in with a hard-coded password.

Qnap has already fixed the issue in QES 2.1.1 Build 20200515 and later. Link

Command Injection Vulnerability in QTS and QuTS hero
Security ID: QSA-20-20
Release date: December 23, 2020
Severity: High
CVE identifier: CVE-2020-25847
Affected products: Certain Qnap NAS

Summary
A command injection vulnerability has been reported to affect QTS and QuTS hero NAS OS.

If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. 

We have already fixed this vulnerability in the following versions:

• QTS 4.5.1.1495 build 20201123 (and later)

• QuTS hero h4.5.1.1491 build 20201119 (and later)

This issue does not affect QTS 4.3.x or QTS 4.2.x NAS OS. Link