=====================================================================

                                CERT-Renater

                      Note d'Information No. 2023/VULN386

_____________________________________________________________________

DATE                : 10/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Windows running QVPN Device Client versions
                            prior to 2.1.0.0518, 2.2.0.0823.

=====================================================================
https://www.qnap.com/en/security-advisory/qsa-23-36
https://www.qnap.com/en/security-advisory/qsa-23-39
_____________________________________________________________________

Security ID : QSA-23-36
Vulnerability in QVPN Device Client for Windows

     Release date : October 7, 2023

     CVE identifier : CVE-2023-23370

     Affected products: QVPN Windows 2.1.x

Severity
Medium

Status
Resolved


Summary

An insufficiently protected credentials vulnerability has been
reported to affect QVPN Device Client for Windows. If exploited,
the vulnerability could allow a local authenticated administrator
to gain access to user accounts and the sensitive data they use
via unspecified vectors.

We have already fixed the vulnerability in the following version:

Affected Product        Fixed Version
QVPN Windows 2.1.x      QVPN Windows 2.1.0.0518 and later


Recommendation

To secure your device, we recommend regularly updating your QNAP
utilities to the latest versions to benefit from vulnerability
fixes. You can check the QNAP Utilities page to find the latest
updates available for your device operating system.


Attachment

     CVE-2023-23370.json


Acknowledgements: Runzi Zhao, Security Researcher, QI-ANXIN


Revision History:
V1.0 (October 07, 2023) - Published

_____________________________________________________________________

Security ID : QSA-23-39
Vulnerability in QVPN Device Client for Windows

     Release date : October 7, 2023

     CVE identifier : CVE-2023-23371

     Affected products: QVPN Windows 2.2.x

Severity
Low

Status
Resolved


Summary

A cleartext transmission of sensitive information vulnerability has
been reported to affect QVPN Device Client for Windows. If exploited,
the vulnerability could allow local authenticated administrators to
read sensitive data via unspecified vectors.

We have already fixed the vulnerability in the following version:

Affected Product        Fixed Version
QVPN Windows 2.2.x      QVPN Windows 2.2.0.0823 and later


Recommendation

To secure your device, we recommend regularly updating your QNAP
utilities to the latest versions to benefit from vulnerability fixes.
You can check the QNAP Utilities page to see the latest updates
available for your device operating system.


Attachment

     CVE-2023-23371.json


Acknowledgements: Runzi Zhao, Security Researcher, QI-ANXIN


Revision History:
V1.0 (October 07, 2023) - Published


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================