{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-087.pdf"
    },
    "title": "Critical Vulnerabilities in QNAP products",
    "serial_number": "2023-087",
    "publish_date": "07-11-2023 10:26:21",
    "description": "On November 4 2023, QNAP Systems has released advisories addressing critical vulnerabilities affecting multiple versions of the QTS operating system and applications on its network-attached storage (NAS) devices. These vulnerabilities could allow an attacker to achieve Remote Code Execution.<br>\nIt is recommended updating affected devices as soon as possible.<br>\n",
    "url_title": "2023-087",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in\u00a0QNAP\u00a0products'\nnumber: '2023-087'\nversion: '1.0'\noriginal_date: 'November 4, 2023'\ndate: 'November 7, 2023'\n---\n\n_History:_\n\n* _07/11/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn November 4 2023, QNAP Systems has released advisories [1,2] addressing critical vulnerabilities affecting multiple versions of the QTS operating system and applications on its network-attached storage (NAS) devices. These vulnerabilities could allow an attacker to achieve Remote Code Execution.\n\nIt is recommended updating affected devices as soon as possible.\n\n# Technical Details\n\n- The vulnerability identified by `CVE-2023-23368`, with a CVSS score of 9.8 out of 10, is an OS command injection vulnerability. If exploited, the vulnerability could allow remote attackers to execute commands via a network.\n- The vulnerability identified by `CVE-2023-23369`, with a CVSS score of 9.0 out of 10, is an OS command injection vulnerability. If exploited, the vulnerability could allow remote attackers to execute commands via a network.\n\n# Affected Products\n\n- The vulnerability `CVE-2023-23368` affects the following products: QTS 5.0.x, QTS 4.5.x, QuTS hero h5.0.x, QuTS hero h4.5.x, and QuTScloud c5.0.x.\n- The vulnerability `CVE-2023-23369` affects the following products: QTS 5.1.x, QTS 4.3.6, QTS 4.3.4, QTS 4.3.3, QTS 4.2.x, Multimedia Console 2.1.x, Multimedia Console 1.4.x, Media Streaming add-on 500.1.x, and Media Streaming add-on 500.0.x.\n\n# Recommendations\n\nCERT-EU recommends to install updates as available following the QNAP procuct support status [3].\n\n# References\n\n[1] <https://www.qnap.com/en-uk/security-advisory/qsa-23-31>\n\n[2] <https://www.qnap.com/en-uk/security-advisory/qsa-23-35>\n\n[3] <https://www.qnap.com/en/product/status>",
    "content_html": "<p><em>History:</em></p><ul><li><em>07/11/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On November 4 2023, QNAP Systems has released advisories [1,2] addressing critical vulnerabilities affecting multiple versions of the QTS operating system and applications on its network-attached storage (NAS) devices. These vulnerabilities could allow an attacker to achieve Remote Code Execution.</p><p>It is recommended updating affected devices as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><ul><li>The vulnerability identified by <code>CVE-2023-23368</code>, with a CVSS score of 9.8 out of 10, is an OS command injection vulnerability. If exploited, the vulnerability could allow remote attackers to execute commands via a network.</li><li>The vulnerability identified by <code>CVE-2023-23369</code>, with a CVSS score of 9.0 out of 10, is an OS command injection vulnerability. If exploited, the vulnerability could allow remote attackers to execute commands via a network.</li></ul><h2 id=\"affected-products\">Affected Products</h2><ul><li>The vulnerability <code>CVE-2023-23368</code> affects the following products: QTS 5.0.x, QTS 4.5.x, QuTS hero h5.0.x, QuTS hero h4.5.x, and QuTScloud c5.0.x.</li><li>The vulnerability <code>CVE-2023-23369</code> affects the following products: QTS 5.1.x, QTS 4.3.6, QTS 4.3.4, QTS 4.3.3, QTS 4.2.x, Multimedia Console 2.1.x, Multimedia Console 1.4.x, Media Streaming add-on 500.1.x, and Media Streaming add-on 500.0.x.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends to install updates as available following the QNAP procuct support status [3].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.qnap.com/en-uk/security-advisory/qsa-23-31\">https://www.qnap.com/en-uk/security-advisory/qsa-23-31</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.qnap.com/en-uk/security-advisory/qsa-23-35\">https://www.qnap.com/en-uk/security-advisory/qsa-23-35</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.qnap.com/en/product/status\">https://www.qnap.com/en/product/status</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}