Endpoint Security , Internet of Things Security
QNAP Systems Patches Critical Vulnerability
Taiwanese Hardware Manufacturer Fixes Improper Authentication FlawQNAP Systems on Saturday released a patch for a critical bug that allows unauthorized access to devices without authentication.
See Also: SASE: Recognizing the Challenges of Securing a Hybrid Workforce
The Taiwanese hardware vendor's advisory said the flaw, tracked as CVE-2024-21899 with a CVSS score of 9.8, is an improper authentication problem that could enable users to compromise system security through network access.
According to QNAP, this issue affects its QTS, QuTS hero, and QuTScloud products and potentially exposes network-attached storage devices to unauthorized access.
QNAP's advisory also highlights two additional vulnerabilities that have been resolved in QTS, QuTS hero, QuTScloud, and myQNAPcloud. Tracked as CVE-2024-21900 and CVE-2024-21901, these medium-severity issues could result in command execution or code injection over a network.
CVE-2024-21900 is an injection vulnerability that, if exploited, enables authenticated users to execute commands via a network. CVE-2024-21901 is an SQL injection vulnerability that could allow authenticated administrators to inject malicious code via a network.
The company recommends that users regularly update systems and applications to the latest version to benefit from vulnerability fixes.
The U.S. Cybersecurity and Infrastructure Security Agency in December 2023 found multiple vulnerabilities in various industrial control systems that enabled hackers to gain full access to the system and disclose sensitive information.
CISA's advisory addressed QNAP's VioStor NVR, a device designed for the surveillance and management of IP cameras in a networked environment.
The OS command injection vulnerability tracked as CVE-2023-47565 in VioStor NVR can enable an attacker to achieve remote code execution by exploiting Network Time Protocol settings.
In QNAP VioStor, NTP refers to the configuration options related to time synchronization with external time servers. The protocol is used to synchronize the clocks of devices on a network, ensuring that they have accurate and consistent time settings. The vulnerability can also result in remote code execution.
"Knowing your vulnerabilities and having a plan to manage them is a critical component to a defensible architecture. OT security strategies often start with hardening the environment - removing extraneous OT network access points, maintaining strong policy control at IT/OT interface points, and mitigating high-risk vulnerabilities," Kate Vajda, director of intelligence research at Dragos, told Information Security Media Group in December.
A defensible architecture is not simply a "hardened" one," but supports the people and processes behind it, said Vajda.
"It must support the collection requirements that were established in the IRP and implemented for improved OT visibility and monitoring. Lastly, many aspects of risk-based vulnerability management are only possible when the defenders can leverage a defensible architecture," Vajda said.