=====================================================================

                                CERT-Renater

                    Note d'Information No. 2023/VULN036

_____________________________________________________________________

DATE                : 31/01/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running QTS version 5.0.1,
                           QuTS hero version  h5.0.1.

=====================================================================
https://www.qnap.com/fr-fr/security-advisory/qsa-23-01
_____________________________________________________________________

Vulnerability in QTS and QuTS hero

     Release date: January 30, 2023
     Security ID: QSA-23-01
     Severity: Critical
     CVE identifier: CVE-2022-27596
     Affected products: QTS 5.0.1, QuTS hero h5.0.1
     Status: Resolved

Summary

A vulnerability has been reported to affect QNAP devices running
QTS 5.0.1 and QuTS hero h5.0.1. If exploited, this vulnerability
allows remote attackers to inject malicious code.



We have already fixed this vulnerability in the following
operating system versions:



     QTS 5.0.1.2234 build 20221201 and later
     QuTS hero h5.0.1.2248 build 20221215 and later


Recommendation

To secure your device, we recommend regularly updating your
system to the latest version to benefit from vulnerability
fixes. You can check the product support status to see the
latest updates available to your NAS model.



Updating QTS or QuTS hero

     Log in to QTS or QuTS hero as an administrator.
     Go to Control Panel > System > Firmware Update.
     Under Live Update, click Check for Update.
     QTS or QuTS hero downloads and installs the latest available
      update.

Tip: You can also download the update from the QNAP website.
Go to Support > Download Center and then perform a manual update
for your specific device.


Attachment

     CVE-2022-27596.json


Acknowledgements: huasheng_mangguo

Revision History: V1.0 (January 30, 2023) - Published


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================