====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN005
_____________________________________________________________________

DATE                : 11/01/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems runningQTS versions prior to 4.5.1.1456
                                      build 20201015,
                 QuTS hero versions prior to h4.5.1.1472 build 20201031.

=====================================================================
https://www.qnap.com/fr-fr/security-advisory/qsa-21-01
_____________________________________________________________________


Command Injection Vulnerability in QTS and QuTS hero

    Release date: January 11, 2021
    Security ID: QSA-21-01
    Severity: Medium
    CVE identifier: CVE-2020-2508
    Affected products: All QNAP NAS


Summary

A command injection vulnerability has been reported to affect QTS and
QuTS hero. If exploited, this vulnerability allows attackers to execute
arbitrary commands in a compromised application.

We have already fixed this vulnerability in the following versions:

    QTS 4.5.1.1456 build 20201015 (and later)
    QuTS hero h4.5.1.1472 build 20201031 (and later)


Recommendation

To secure your device, we strongly recommend updating your system to the
latest version to benefit from vulnerability fixes. You can check the
product support status to see the latest updates available to your NAS
model.

Installing the QTS or QuTS hero Update

    Log on to QTS or QuTS hero as administrator.
    Go to Control Panel > System > Firmware Update.
    Under Live Update, click Check for Update.
    QTS or QuTS hero downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to
Support > Download Center and then perform a manual update for your
specific device.


Acknowledgements: CFF of Topsec Alpha Team

Revision History: V1.0 (January 11, 2021) - Resolved and Published


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================