Qnap: Four Security Advisories on Resolved Vulnerabilities
In QVR Pro Client, QuLog Center on QTS, QuTS hero and QuTScloud, QuFirewall on QTS
This is a Press Release edited by StorageNewsletter.com on September 12, 2023 at 2:01 pmQnap Systems, Inc. had published 4 resolved security adivories on resolved vulnerabilities.
Resolved Vulnerability in QVR Pro Client
Release date: September 8, 2023
Security ID: QSA-23-08
Severity: Medium
CVE identifier: CVE-2022-27599
Affected products: QVR Pro Client 2.3
Status: Resolved
Summary
An insertion of sensitive information into log file vulnerability has been reported to affect QVR Pro Client. If exploited, the vulnerability could provide local authenticated administrators with a less-protected path to acquire information via unspecified vectors.
The company have already fixed vulnerability in following version:
-
QVR Pro Client 2.3.0.0420 and later
Recommendation
To secure your device, we recommend regularly updating your system and applications to their latest versions to benefit from vulnerability fixes.
Updating QVR Pro Client
To download the latest version of QVR Pro Client for your OS.
Attachment
Acknowledgements: Runzi Zhao, Security Researcher, QI-ANXIN
Revision History:
V1.0 (September 08, 2023) – Published
Resolved vulnerability in QuLog Center on QTS, QuTS hero and QuTScloud
Release date: September 8, 2023
Security ID: QSA-23-13
Severity: High
CVE identifier: CVE-2023-23354
Affected products: QuLog Center 1.5, 1.4, 1.3
Status: Resolved
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center on several QNAP OSs. If exploited, the vulnerability allows authenticated users to inject malicious code via network vector.
The company have already fixed vulnerability in following OS and QuLog Center versions:
- QTS 5.0.1: QuLog Center 1.5.0.738 (2023/03/06) and later
- QTS 4.5.4: QuLog Center 1.3.1.645 (2023/02/22) and later
- QuTS hero h5.0.1: QuLog Center 1.5.0.738 (2023/03/06) and later
- QuTS hero h4.5.4: QuLog Center 1.3.1.645 (2023/02/22) and later
- QuTscloud c5.0.1: QuLog Center 1.4.1.691 (2023/03/01) and later
Recommendation
To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. In addition, for online activities, it’s recommended to access the web through secure and trusted networks.
Updating QuLog Center
- Log in to QTS, QuTS hero, QuTScloud, or QVP.
- Open App Center and then click .
A search box appears. - Enter ‘QuLog Center’.
QuLog Center appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if the application is already up to date. - Click OK.
The application is updated.
Attachment
Acknowledgements: Kaibro
Revision History:
V1.0 (September 08, 2023) – Published
Resolved vulnerability in QuFirewall on QTS, QuTS hero, and QuTScloud
Release date: September 8, 2023
Security ID: QSA-23-14
Severity: Medium
CVE identifier: CVE-2023-23356
Affected products: QuFirewall 2.3
Status: Resolved
Summary
An OS command injection vulnerability has been reported to affect QuFirewall on QTS, QuTS hero, and QuTScloud. If exploited, the vulnerability allows authenticated administrators to execute commands via susceptible QNAP devices via network vector.
The company have already fixed vulnerability in following versions:
-
QuFirewall 2.3.3 (2023/03/27) and later
Recommendation
To secure your device, Qnap recommend regularly updating your system and applications to their latest versions to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.
Updating QuFirewall
- Log in to QTS, QuTS hero, or QuTScloud as an administrator.
- Open App Center and then click .
A search box appears. - Enter ‘QuFirewall’.
QuFirewall appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if the application is already up to date. - Click OK.
The application is updated.
Attachment
Acknowledgements: Kaibro
Revision History:
V1.0 (September 08, 2023) – Published
Resolved vulnerability in QuLog Center on QTS, QuTS hero and QuTScloud
Release date: September 8, 2023
Security ID: QSA-23-16
Severity: Medium
CVE identifier: CVE-2023-23357
Affected products: QuLog Center 1.5, 1.4, 1.3
Status: Resolved
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center on several QNAP OSs. If exploited, the vulnerability allows authenticated administrators to inject malicious code via network vector.
The company have already fixed vulnerability in following OSs and QuLog Center versions:
- QTS 5.0.1: QuLog Center 1.5.0.738 (2023/03/06) and later
- QTS 4.5.4: QuLog Center 1.3.1.645 (2023/02/22) and later
- QuTS hero h5.0.1: QuLog Center 1.5.0.738 (2023/03/06) and later
- QuTS hero h4.5.4: QuLog Center 1.3.1.645 (2023/02/22) and later
- QuTscloud c5.0.1: QuLog Center 1.4.1.691 (2023/03/01) and later
Recommendation
To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. In addition, for online activities, it’s recommended to access the web through secure and trusted networks.
Updating QuLog Center
-
Log in to QTS, QuTS hero, QuTScloud, or QVP.
-
Open App Center and then click .
A search box appears. -
Enter ‘QuLog Center’.
QuLog Center appears in the search results. -
Click Update.
A confirmation message appears.
Note: The Update button is not available if the application is already up to date. -
Click OK.
The application is updated.
Attachment
Acknowledgements: Kaibro
Revision History:
V1.0 (September 08, 2023) – Published
Subscribe to our free daily newsletter
