====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN306
_____________________________________________________________________

DATE                : 03/06/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running QNAP NAS running Video Station
                                  versions prior to 5.5.4.

=====================================================================
https://www.qnap.com/fr-fr/security-advisory/qsa-21-21
_____________________________________________________________________

Command Injection Vulnerability in Video Station

    Release date: June 3, 2021
    Security ID: QSA-21-21
    Severity: High
    CVE identifier: CVE-2021-28812
    Affected products: QNAP NAS running Video Station
    Status: Resolved


Summary

A command injection vulnerability has been reported to affect certain
versions of Video Station. If exploited, this vulnerability allows
remote attackers to execute arbitrary commands.

We have already fixed the issue in the following versions:

    QTS 4.5.2: Video Station 5.5.4 and later
    QuTS hero h4.5.2: Video Station 5.5.4 and later
    QuTScloud c4.5.4: Video Station 5.5.4 and later

QNAP NAS running the following versions are not affected:

    QTS 4.3.6: Video Station 5.3.11 and later
    QTS 4.3.3: Video Station 5.1.6 and later


Recommendation

To fix the vulnerability, we recommend updating Video Station to the
latest version.


Updating Video Station

    Log on to QTS or QuTS hero as administrator.
    Open the App Center and then click .
    A search box appears.
    Type “Video Station” and then press ENTER.
    Video Station appears in the search results.
    Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your Video Station is
already up to date.
    Click OK.
    The application is updated.


Acknowledgements: Thomas Fady

Revision History: V1.0 (June 3, 2021) - Published



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================