======================================================================

                               CERT-Renater

                   Note d'Information No. 2024/VULN524
_____________________________________________________________________

DATE                : 09/12/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running QTS versions prior to
                 5.1.9.2954 build 20241120, 5.2.2.2950 build 20241114, 
             QuTS hero versions prior to h5.1.9.2954 build 20241120,
                         h5.2.2.2952 build 20241116,
       Qsync Central versions prior to 4.4.0.16_20240819 (2024/08/19),
                License Center versions prior to 1.9.43.

=====================================================================
https://www.qnap.com/fr-fr/security-advisory/qsa-24-49
https://www.qnap.com/fr-fr/security-advisory/qsa-24-48
https://www.qnap.com/fr-fr/security-advisory/qsa-24-50
_____________________________________________________________________


Security ID : QSA-24-49
Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2024)

     Release date : December 7, 2024

     CVE identifier : CVE-2024-48859 | CVE-2024-48865 |
CVE-2024-48866 | CVE-2024-48867 | CVE-2024-48868 | CVE-2024-50393
| CVE-2024-50402 | CVE-2024-50403

     Affected products: QTS 5.1.x, 5.2.x; QuTS hero h5.1.x, h5.2.x

Severity
Important

Status
Resolved


Summary

Multiple vulnerabilities have been reported to affect certain QNAP
operating system versions:

     CVE-2024-48859: If exploited, the improper authentication
vulnerability could allow remote attackers to compromise the
security of the system.
     CVE-2024-48865: If exploited, the improper certificate
validation vulnerability could allow attackers with local network
access to compromise the security of the system.
     CVE-2024-48866: If exploited, the improper handling of URL
encoding (hex encoding) vulnerability could allow remote attackers
to cause the system to go into an unexpected state.
     CVE-2024-48867, CVE-2024-48868: If exploited, the improper
neutralization of CRLF sequences ("CRLF injection") vulnerabilities
could allow remote attackers to modify application data.
     CVE-2024-50393: If exploited, the command injection
vulnerability could allow remote attackers to execute arbitrary
commands.
     CVE-2024-50402, CVE-2024-50403: If exploited, the use of
externally-controlled format string vulnerabilities could allow
remote attackers who have gained administrator access to obtain
secret data or modify memory.


We have already fixed the vulnerabilities in the following versions:

Affected Product 	Fixed Version

QTS 5.1.x 	QTS 5.1.9.2954 build 20241120 and later

QTS 5.2.x 	QTS 5.2.2.2950 build 20241114 and later

QuTS hero h5.1.x 	QuTS hero h5.1.9.2954 build 20241120
and later

QuTS hero h5.2.x 	QuTS hero h5.2.2.2952 build 20241116
and later


Recommendation

To secure your device, we recommend regularly updating your
system to the latest version to benefit from vulnerability
fixes. You can check the product support status to see the
latest updates available to your NAS model.


Updating QTS or QuTS hero

     Log in to QTS or QuTS hero as an administrator.
     Go to Control Panel > System > Firmware Update.
     Under Live Update, click Check for Update.
     The system downloads and installs the latest available
update.

Tip: You can also download the update from the QNAP website.
Go to Support > Download Center and then perform a manual
update for your specific device.

   Attachment

     CVE-2024-48859.json
     CVE-2024-48865.json
     CVE-2024-48866.json
     CVE-2024-48867.json
     CVE-2024-48868.json
     CVE-2024-50393.json
     CVE-2024-50402.json
     CVE-2024-50403.json

Acknowledgements:
Pwn2Own 2024: Corentin BAYET of Reverse_Tactics, ExLuck of
ANHTUD, Chris Anastasio & Fabius Watson
Anh Nguyen Le Quoc (h4niz), Tri, Nguyen Huu (trinh), Quy,
Cao Ngoc (quycn) of bl4ckh0l3 from Galaxy One

Revision History:
V1.0 (December 07, 2024) - Published

_____________________________________________________________________

Security ID : QSA-24-48
Vulnerability in Qsync Central

     Release date : December 7, 2024

     CVE identifier : CVE-2024-50404

     Affected products: Qsync Central 4.4.x

Severity
Moderate

Status
Resolved


Summary

A link following vulnerability has been reported to affect Qsync
Central. If exploited, the vulnerability could allow remote
attackers who have gained user access to traverse the file system
to unintended locations.

We have already fixed the vulnerability in the following version:

Affected Product 	Fixed Version
Qsync Central 4.4.x 	Qsync Central 4.4.0.16_20240819 (2024/08/19)
                                       and later


Recommendation

To fix the vulnerability, we recommend updating Qsync Central
to the latest version.


Updating Qsync Central

     Log in to QTS or QuTS hero as an administrator.
     Open App Center and then click .
     A search box appears.
     Type "Qsync Central" and then press ENTER.
     Qsync Central appears in the search results.
     Click Update.
     A confirmation message appears.
     Note: The Update button is not available if your Qsync
Central is already up to date.
     Click OK.
     The system updates the application.


Attachment

     CVE-2024-50404.json

Acknowledgements: c411e

Revision History:
V1.0 (December 07, 2024) - Published

_____________________________________________________________________

Security ID : QSA-24-50
Vulnerability in License Center

     Release date : December 7, 2024

     CVE identifier : CVE-2024-48863

     Affected products: License Center 1.9.x

Severity
Important

Status
Resolved
Summary

A command injection vulnerability has been reported to affect License
Center. If exploited, the vulnerability could allow remote attackers
to execute arbitrary commands.

We have already fixed the vulnerability in the following version:

Affected Product 	Fixed Version

License Center 1.9.x 	License Center 1.9.43 and later


Recommendation

To fix the vulnerability, we recommend updating License Center to
the latest version.


Updating License Center

     Log on to QTS or QuTS hero as an administrator.
     Open App Center and then click .
     A search box appears.
     Type "License Center" and then press ENTER.
     License Center appears in the search results.
     Click Update.
     A confirmation message appears.
     Note: The Update button is not available if your License
Center is already up to date.
     Click OK.
     The application is updated.

Attachment

     CVE-2024-48863.json

Acknowledgements: Anh Nguyen Le Quoc (h4niz), Tri, Nguyen Huu
(trinh), Quy, Cao Ngoc (quycn) of bl4ckh0l3 from Galaxy One

Revision History:
V1.0 (December 07, 2024) - Published


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================