===================================================================== CERT-Renater Note d'Information No. 2023/VULN152 _____________________________________________________________________ DATE : 06/04/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): QTS versions prior to 5.0.1.2346 build 20230322, QuTS hero versions prior to h5.0.1.2348 build 20230324, QuTScloud, QVP, QVR. ===================================================================== https://www.qnap.com/fr-fr/security-advisory/qsa-23-11 https://www.qnap.com/fr-fr/security-advisory/qsa-23-02 https://www.qnap.com/fr-fr/security-advisory/qsa-23-03 https://www.qnap.com/fr-fr/security-advisory/qsa-23-06 https://www.qnap.com/fr-fr/security-advisory/qsa-23-10 https://www.qnap.com/fr-fr/security-advisory/qsa-23-15 _____________________________________________________________________ Vulnerability in sudo Release date: March 30, 2023 Security ID: QSA-23-11 Severity: High CVE identifier: CVE-2023-22809 Affected products: Certain QNAP devices Status: Fixing Summary A vulnerability has been reported in sudo. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following operating system versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later QNAP is urgently fixing the vulnerabilities in QuTScloud and QVP. Please check this security advisory regularly for updates and promptly update your operating system to the latest recommended version as soon as it is available. Recommendation To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. Updating QTS, QuTS hero, or QuTScloud Log in to QTS, QuTS hero, or QuTScloud as an administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. The system downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Updating QVP (QVR Pro Appliances) Log in to QVP as an administrator. Go to Control Panel > System Settings > Firmware Update. Select the Firmware Update tab. Click Browse... to upload the latest firmware file. Tip: Download the latest firmware file for your specific device from https://www.qnap.com/go/download. Click Update System. The system installs the update. Attachment QSA-23-11.json Revision History: V1.0 (March 30, 2023) - Published _____________________________________________________________________ Buffer Overflow Vulnerabilities in Samba Release date: March 30, 2023 Security ID: QSA-23-02 Severity: Medium CVE identifier: CVE-2022-3437 | CVE-2022-3592 Affected products: Certain QNAP devices running Samba Status: Fixing Summary Multiple buffer overflow vulnerabilities have been reported in Samba. These vulnerabilities affect the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances), QVR We have already fixed the vulnerabilities in the following operating system versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later QNAP is urgently fixing the vulnerabilities in QuTScloud, QVP, and QVR. Please check this security advisory regularly for updates and promptly update your operating system to the latest recommended version as soon as it is available. Recommendation To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your QNAP device. Updating QTS, QuTS hero, or QuTScloud Log in to QTS, QuTS hero, or QuTScloud as an administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. The system downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Updating QVP (QVR Pro Appliances) or QVR Log in to QVP or QVR as an administrator. Go to Control Panel > System Settings > Firmware Update. Select the Firmware Update tab. Click Browse... to upload the latest firmware file. Tip: Download the latest firmware file for your specific device from https://www.qnap.com/go/download. Click Update System. The system installs the update. Attachment QSA-23-02.json Revision History: V1.0 (March 30, 2023) - Published _____________________________________________________________________ Buffer Overflow Vulnerability in Samba Release date: March 30, 2023 Security ID: QSA-23-03 Severity: Medium CVE identifier: CVE-2022-42898 Affected products: Certain QNAP devices running Samba Status: Fixing Summary A buffer overflow vulnerability has been reported in Samba. The vulnerability affects the following QNAP operating systems: QTS, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following operating system versions: QTS 5.0.1.2346 build 20230322 and later QNAP is urgently fixing the vulnerability in QVP. Please check this security advisory regularly for updates and promptly update your operating system to the latest version as soon as it is available. Recommendation To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. Updating QTS Log in to QTS as an administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. The system downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Updating QVP (QVR Pro Appliances) Log in to QVP as an administrator. Go to Control Panel > System Settings > Firmware Update. Select the Firmware Update tab. Click Browse... to upload the latest firmware file. Tip: Download the latest firmware file for your specific device from https://www.qnap.com/go/download. Click Update System. The system installs the update. Attachment QSA-23-03.json Revision History: V1.0 (March 30, 2023) - Published _____________________________________________________________________ Vulnerabilities in QTS, QuTS hero, QuTScloud, and QVP Release date: March 30, 2023 Security ID: QSA-23-06 Severity: Low CVE identifier: CVE-2022-27597 | CVE-2022-27598 Affected products: Certain QNAP devices Status: Fixing Summary Two vulnerabilities have been reported to affect multiple QNAP operating systems. If exploited, these vulnerabilities allow remote authenticated users to get secret values. The vulnerabilities affect the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerabilities in the following operating system versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later QNAP is urgently fixing the vulnerabilities in QuTScloud and QVP. Please check this security advisory regularly for updates and promptly update your operating system to the latest recommended version as soon as it is available. Recommendation To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. Updating QTS, QuTS hero, or QuTScloud Log in to QTS, QuTS hero, or QuTScloud as an administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. The system downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Updating QVP (QVR Pro Appliances) Log in to QVP as an administrator. Go to Control Panel > System Settings > Firmware Update. Select the Firmware Update tab. Click Browse... to upload the latest firmware file. Tip: Download the latest firmware file for your specific device from https://www.qnap.com/go/download. Click Update System. The system installs the update. Attachment CVE-2022-27597.json CVE-2022-27598.json Acknowledgements: Sternum LIV and Sternum team Revision History: V1.0 (March 30, 2023) - Published _____________________________________________________________________ Vulnerability in QTS, QuTS hero, QuTScloud, QVP, and QVR Release date: March 30, 2023 Security ID: QSA-23-10 Severity: Medium CVE identifier: CVE-2023-23355 Affected products: Certain QNAP devices Status: Fixing Summary A vulnerability has been reported to affect multiple QNAP operating systems. If exploited, the vulnerability allows remote authenticated users to execute arbitrary commands via susceptible QNAP devices. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances), QVR. We have already fixed the vulnerability in the following operating system versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later QNAP is urgently fixing the vulnerabilities in QuTScloud, QVP, and QVR. Please check this security advisory regularly for updates and promptly update your operating system to the latest recommended version as soon as it is available. Recommendation To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. Updating QTS, QuTS hero, or QuTScloud Log in to QTS, QuTS hero, or QuTScloud as an administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. The system downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Updating QVP (QVR Pro Appliances) or QVR Log in to QVP or QVR as an administrator. Go to Control Panel > System Settings > Firmware Update. Select the Firmware Update tab. Click Browse... to upload the latest firmware file. Tip: Download the latest firmware file for your specific device from https://www.qnap.com/go/download. Click Update System. The system installs the update. Attachment CVE-2023-23355.json Acknowledgements: YC of the M1QLin security team Revision History: V1.0 (March 30, 2023) - Published _____________________________________________________________________ Multiple Vulnerabilities in OpenSSL Release date: March 30, 2023 Security ID: QSA-23-15 Severity: Medium CVE identifier: CVE-2023-0286 | CVE-2022-4304 | CVE-2023-0215 | CVE-2022-4450 Affected products: Certain QNAP devices Status: Fixing Summary Multiple vulnerabilities have been reported in OpenSSL. These vulnerabilities affect the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances), QVR, QES We have already fixed the vulnerabilities in the following operating system versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later QNAP is urgently fixing the vulnerabilities in QuTScloud, QVP, QVR, and QES. Please check this security advisory regularly for updates and promptly update your operating system to the latest recommended version as soon as it is available. Recommendation To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. Updating QTS, QuTS hero, or QuTScloud Log in to QTS, QuTS hero, or QuTScloud as an administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. The system downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Updating QVP (QVR Pro Appliances) or QVR Log in to QVP or QVR as an administrator. Go to Control Panel > System Settings > Firmware Update. Select the Firmware Update tab. Click Browse... to upload the latest firmware file. Tip: Download the latest firmware file for your specific device from https://www.qnap.com/go/download. Click Update System. The system installs the update. Updating QES Log in to QES as an administrator. Go to Control Panel > System > Firmware Update > Live Update. Click Check for Live Update. The system downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Attachment QSA-23-15.json Revision History: V1.0 (March 30, 2023) - Published ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================