QNAP QTS/QuTS hero OS Command Injection Vulnerabilities (CVE-2023-34974/34979) Advisory

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability ID: QSA-24-32 2. Vulnerability Name: Multiple Vulnerabilities in QTS and QuTS hero 3. Release Date: September 7, 2024 4. CVE Identifiers: CVE-2023-34974 5. Affected Products: QTS 4.5.x, QuTS hero h4.5.x 6. Severity: Medium 7. Status: Resolved 8. Vulnerability Description: - CVE-2023-34974: If exploited, an operating system command injection vulnerability could allow a remote attacker to inject malicious commands with user privileges. - CVE-2023-34979: If exploited, an operating system command injection vulnerability could allow a remote attacker to inject malicious commands with administrator privileges. 9. Fixed Versions: - QTS 4.5.x: QTS 4.5.4.2790 build 20240605 and later versions - QuTS hero h4.5.x: QuTS hero h4.5.4.2790 build 20240606 and later versions 10. Update Recommendation: - Regularly update the system to the latest version to receive vulnerability fixes. - Check available updates on the QNAP website under “Product Support Status.” 11. Update Steps: - Log in to QTS or QuTS hero as an administrator. - Go to “Control Panel > System > Firmware Update.” - Under “Live Update,” click “Check for Updates.” - The system will download and install the latest available update. 12. Attachments: - CVE-2023-34979.json - CVE-2023-34974.json 13. Acknowledgments: - huasheng_mangguo for contribution to CVE-2023-34974 - Tyao0-0x14 for contribution to CVE-2023-34979 14. Revision History: - V1.0 (September 7, 2024) – Initial release

Goal Reached Thanks to every supporter — we hit 100%!

QNAP QTS/QuTS hero OS Command Injection Vulnerabilities (CVE-2023-34974/34979) Advisory