What are you looking for ?
Infinidat
Articles_top

Qnap Security Resolved: Command Injection Vulnerability in Media Streaming Add-On

Concerning NAS running Media Streaming add-on

Qnap Systems, Inc. has published a security advisory concerning the resolved ‘Command Injection Vulnerability in Media Streaming Add-On’.

  • Release date: October 22, 2021

  • Security ID: QSA-21-44

  • Severity: High

  • CVE identifier: CVE-2021-34362

  • Affected products: Qnap NAS running the Media Streaming add-on

  • Status: Resolved

Summary
A command injection vulnerability has been reported to affect Qnap NAS running the Media Streaming add-on. If exploited, this vulnerability allows remote attackers to run arbitrary commands.

The company have already fixed vulnerability in following versions of Media Streaming add-on:

  • QTS 5.0.0: Media Streaming add-on 500.0.0.3 (2021/08/20) and later

  • QTS 4.5.4: Media Streaming add-on 500.0.0.3 (2021/08/20) and later

  • QTS 4.3.6: Media Streaming add-on 430.1.8.12 (2021/08/20) and later

  • QTS 4.3.3: Media Streaming add-on 430.1.8.12 (2021/09/29) and later

  • QuTS hero h5.0.0: Media Streaming add-on 500.0.0.3 (2021/08/20) and later

Recommendation
To fix the vulnerability, we recommend updating the Media Streaming add-on to the latest version.

Updating Media Streaming Add-On

  1. Log on to QTS as administrator.

  2. Open the App Center and then click. Qnap Loupe
    A search box appears.

  3. Type ‘Media Streaming add-on’ and then press ENTER.
    The Media Streaming add-on appears in the search results.

  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your Media Streaming add-on is already up to date.

  5. Click OK.
    The application is updated.

Acknowledgements: Tony Martin, a security researcher

Revision History: V1.0 (October 22, 2021) – Published

Articles_bottom
AIC
ATTO
OPEN-E