==================================================================== CERT-Renater Note d'Information No. 2020/VULN660 _____________________________________________________________________ DATE : 07/12/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running QTS, QuTS hero, QNAP NAS running Music Station, Multimedia Console, Photo Station. ===================================================================== https://www.qnap.com/fr-fr/security-advisory/qsa-20-12 https://www.qnap.com/fr-fr/security-advisory/qsa-20-13 https://www.qnap.com/fr-fr/security-advisory/qsa-20-14 https://www.qnap.com/fr-fr/security-advisory/qsa-20-15 https://www.qnap.com/fr-fr/security-advisory/qsa-20-16 _____________________________________________________________________ Multiple Vulnerabilities in QTS and QuTS hero Release date: December 7, 2020 Security ID: QSA-20-12 Severity: High CVE identifier: CVE-2020-2495 | CVE-2020-2496 | CVE-2020-2497 | CVE-2020-2498 Affected products: All QNAP NAS Summary Four vulnerabilities have been reported to affect earlier versions of QTS and QuTS hero. CVE-2020-2495: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. CVE-2020-2496: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. CVE-2020-2497: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in System Connection Logs. CVE-2020-2498: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in certificate configuration. We have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later Recommendation To secure your device, we strongly recommend updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. Installing the QTS or QuTS hero Update Log on to QTS or QuTS hero as administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. QTS or QuTS hero downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Acknowledgements: Jan Hoff Revision History: V1.0 (December 7, 2020) - Published _____________________________________________________________________ Cross-site Scripting Vulnerability in Music Station Release date: December 7, 2020 Security ID: QSA-20-13 Severity: Medium CVE identifier: CVE-2020-2494 Affected products: QNAP NAS running Music Station Summary This cross-site scripting vulnerability in Music Station allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Music Station. QuTS hero h4.5.1: Music Station 5.3.13 and later QTS 4.5.1: Music Station 5.3.12 and later QTS 4.4.3: Music Station 5.3.12 and later Recommendation To fix the issue, we recommend updating Music Station to the latest version. Updating Music Station Log on to QTS or QuTS hero as administrator. Open the App Center and then click . A search box appears. Type “Music Station” and then press ENTER. Music Station appears in the search results. Click Update. A confirmation message appears. Note: The Update button is not available if your Music Station is already up to date. Click OK. The application is updated. Acknowledgements: Jan Hoff Revision History: V1.0 (December 7, 2020) - Published _____________________________________________________________________ Cross-site Scripting Vulnerability in Multimedia Console Release date: December 7, 2020 Security ID: QSA-20-14 Severity: High CVE identifier: CVE-2020-2493 Affected products: QNAP NAS running Multimedia Console Summary This cross-site scripting vulnerability in Multimedia Console allows remote attackers to inject malicious code. We have already fixed this vulnerability in Multimedia Console 1.1.5 and later. Recommendation To fix the issue, we recommend updating Multimedia Console to the latest version. Updating Multimedia Console Log on to QTS as administrator. Open the App Center and then click . A search box appears. Type “Multimedia Console” and then press ENTER. Multimedia Console appears in the search results. Click Update. A confirmation message appears. Note: The Update button is not available if your Multimedia Console is already up to date. Click OK. The application is updated. Acknowledgements: Jan Hoff Revision History: V1.0 (December 7, 2020) - Published _____________________________________________________________________ Cross-site Scripting Vulnerability in Photo Station Release date: December 7, 2020 Security ID: QSA-20-15 Severity: High CVE identifier: CVE-2020-2491 Affected products: QNAP NAS running Photo Station Summary This cross-site scripting vulnerability in Photo Station allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Photo Station. QTS 4.5.1: Photo Station 6.0.12 and later QTS 4.4.3: Photo Station 6.0.12 and later QTS 4.3.6: Photo Station 5.7.12 and later QTS 4.3.4: Photo Station 5.7.13 and later QTS 4.3.3: Photo Station 5.4.10 and later QTS 4.2.6: Photo Station 5.2.11 and later Recommendation To fix the issue, we recommend updating Photo Station to the latest version. Updating Photo Station Log on to QTS as administrator. Open the App Center and then click . A search box appears. Type “Photo Station” and then press ENTER. Photo Station appears in the search results. Click Update. A confirmation message appears. Note: The Update button is not available if your Photo Station is already up to date. Click OK. The application is updated. Acknowledgements: Jan Hoff Revision History: V1.0 (December 7, 2020) - Published _____________________________________________________________________ Command Injection Vulnerability in QTS and QuTS hero Release date: December 7, 2020 Security ID: QSA-20-16 Severity: Medium CVE identifier: CVE-2019-7198 Affected products: All QNAP NAS Summary This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later Recommendation To secure your device, we strongly recommend updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. Installing the QTS or QuTS hero Update Log on to QTS or QuTS hero as administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. QTS or QuTS hero downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Acknowledgements: Jan Hoff Revision History: V1.0 (December 7, 2020) - Published ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================