Qnap Security Advisory SA-22-01 Resolved Improper Authentication Vulnerability in Kazoo Server

Qnap Systems, Inc. had published a security advisory concerning the resolved improper authentication vulnerability in Kazoo Server running on the company’s NAS.

• Release date: February 11, 2022

• Security ID: QSA-22-01

• Severity: Medium

• CVE identifier: CVE-2021-38679

• Affected products: Qnap NAS running Kazoo Server

• Status: Resolved

Summary
A vulnerability has been reported to affect QTS 4.5.3 and later versions, and QuTS hero h4.5.3 and later versions. If exploited, the vulnerability allows attackers to run arbitrary code in the system.

The company have already fixed this vulnerability in following versions of Kazoo Server:

• Kazoo Server 4.11.22 and later

Recommendation
To fix the vulnerability, Qnap recommend updating Kazoo Server to the latest version.

1. Updating Kazoo Server

2. Log on to QTS or QuTS hero as administrator.

3. Open the App Center and then click
   A search box appears.

4. Enter ‘Kazoo Server’.
   Kazoo Server appears in the search results.

5. Click Update.
   A confirmation message appears.
   Note: The Update button is not available if your Kazoo Server is already up to date.

6. Click OK.
   The application is updated.

Acknowledgements: XUELIANG SUN
Revision History: V1.0 (February 11, 2022) – Published