What are you looking for ?
Mobile Search Icon
Mobile Menu Icon
Infinidat
Articles_top

Qnap Security Advisory Bulletin ID: QSA-20-21 ~ QSA-20-23 Affecting NAS

Concerning improper limitation of pathname to restricted directory in QTS, cleartext transmission of sensitive information in SNMP, and cleartext storage of sensitive information in cookies

This is a Press Release edited by StorageNewsletter.com on December 31, 2020 at 2:07 pm

Qnap Systems, Inc. had published security enhancement vs. security vulnerabilities that could affect specific versions of products.

Following information and solutions to correct the security issues and vulnerabilities:

Advisory includes following:

Improper Limitation of Pathname to Restricted Directory in QTS
Security ID: QSA-20-21
Release date: December 30, 2020
Severity: High
CVE identifier: CVE-2018-19945
Affected products: Certain Qnap NAS

Summary
A vulnerability has been reported to affect earlier Qnap devices running QTS 4.3.4 to 4.3.6. Caused by improper limitations of a pathname to a restricted directory, this vulnerability allows for renaming arbitrary files on the target system, if exploited.

We have already fixed this vulnerability in the following versions:

  • QTS 4.3.6.0895 build 20190328 (and later)

  • QTS 4.3.4.0899 build 20190322 (and later)

This issue does not affect QTS 4.4.x or QTS 4.5.x.

Link for information

Cleartext Transmission of Sensitive Information in SNMP
Security ID: QSA-20-22
Release date: December 30, 2020
Severity: Medium
CVE identifier: CVE-2018-19944
Affected products: Certain Qnap NAS

Summary
A vulnerability has been reported to affect Qnap devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information during cleartext transmission.

We have already fixed this vulnerability in the following versions:

  • QTS 4.4.3.1354 build 20200702 (and later)

Link for information

Cleartext Storage of Sensitive Information in Cookies
Security ID: QSA-20-23
Release date: December 30, 2020
Severity: Medium
CVE identifier: CVE-2018-19941
Affected products: All Qnap NAS

Summary
A vulnerability has been reported to affect Qnap NAS. If exploited, this vulnerability allows an attacker to access sensitive information stored in cleartext inside cookies via certain widely-available tools.

We have already fixed this vulnerability in the following versions:

  • QTS 4.5.1.1456 build 20201015 (and later)

  • QuTS hero h4.5.1.1472 build 20201031 (and later)

  • QuTScloud c4.5.2.1379 build 20200730 (and later)

Link for information

Questions regarding this issue: contact

Read also :
Qnap Security Advisory Bulletin ID: QSA-20-17 ~ QSA-20-20
Concerning multiple vulnerabilities in QES, command injection vulnerability in QES, hard-coded password vulnerability in QES, and command injection vulnerability in QTS and QuTS hero NAS OS
December 24, 2020 | Press Release
Qnap Security Advisory: Security Vulnerabilities of QTS and QuTS hero NAS OS and NAS Apps
Including Music Station, Multimedia Console, Photo Station applications and command injection vulnerability
December 11, 2020 | Press Release
Qnap Security Alert: Fight vs. AgeLocker Install Software Updates
Statement in response to recent reports and media coverage indicating that AgeLocker malware is encrypting user data and demanding ransom
October 15, 2020 | Press Release
Qnap Security Advisory and Malware Remover Update Notice
Attack that possibly exploits known vulnerabilities in earlier QTS versions
May 18, 2017 | Press Release
Qnap Security VioStor Network Video Recorder Supports StarDot NetCam IP Cameras
For capturing megapixel videos
November 30, 2012 | Press Release
Articles_bottom
AIC
ATTO
OPEN-E