QNAP® Systems, Inc. (QNAP) is committed to maintaining the highest security standards for our products. We have recently been informed of multiple vulnerabilities in our QTS operating system, as detailed in a report by WatchTowr Labs. We would like to address the findings and outline our actions to resolve these issues.

Addressing the Reported QTS Vulnerabilities

We appreciate the efforts of security researchers in identifying potential vulnerabilities in our products. Of the fifteen vulnerabilities reported, we have assigned CVE IDs to those that have been confirmed. We are pleased to announce that all confirmed vulnerabilities (CVE-2024-21902, CVE-2024-27127, CVE-2024-27128, CVE-2024-27129, CVE-2024-27130) are addressed in the QTS 5.1.7 / QuTS hero h5.1.7, which is already available today (May 21, Taipei time).

Specifically:

• CVE-2024-27131: The enhancement requires a change in the UI specifications within the QuLog Center. It is not an actual vulnerability, but rather a design choice, and it only affects internal network scenarios. This modification will be addressed in QTS 5.2.0.
• WT-2023-0050: This issue is still under review and has not been confirmed as a valid vulnerability. We are working closely with the researchers to clarify its status.
• WT-2024-0004 and WT-2024-0005: These issues are also under review, and we are in active discussions with the researchers to understand and resolve them.
• WT-2024-0006: This issue has been assigned CVE ID and will be resolved in the upcoming release.

CVE-2024-27130 Vulnerability

The CVE-2024-27130 vulnerability, which has been reported under WatchTowr ID WT-2023-0054, is caused by the unsafe use of the 'strcpy' function in the No_Support_ACL function, which is utilized by the get_file_size request in the share.cgi script. This script is used when sharing media with external users. To exploit this vulnerability, an attacker requires a valid 'ssid' parameter, which is generated when a NAS user shares a file from their QNAP device.

We want to reassure our users that all QTS 4.x and 5.x versions have Address Space Layout Randomization (ASLR) enabled. ASLR significantly increases the difficulty for an attacker to exploit this vulnerability. Therefore, we have assessed its severity as Medium. Nonetheless, we strongly recommend users update to QTS 5.1.7 / QuTS hero h5.1.7 as soon as it becomes available to ensure their systems are protected.

Commitment to Security

QNAP PSIRT has always been proactive in collaborating with security researchers to triage and remediate vulnerabilities. We regret any coordination issues that may have occurred between the product release schedule and the disclosure of these vulnerabilities. We are taking steps to improve our processes and coordination in the future to prevent such issues from arising again.

Moving forward, for vulnerabilities triaged as High or Critical severity, we commit to completing remediation and releasing fixes within 45 days. For Medium severity vulnerabilities, we will complete remediation and release fixes within 90 days.

We apologize for any inconvenience this may have caused and are committed to enhancing our security measures continuously. Our goal is to work closely with researchers worldwide to ensure the highest quality of security for our products.

To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

QNAP Product Security Incident Response Team (PSIRT)

Security Advisory

• QSA-24-20
• QSA-24-23