xanix
Advanced
- Joined
- 20.10.20
- Messages
- 111
- Reaction score
- 803
- Points
- 93
This week, Qnap released an update for its QTS operating system, which is running the company's NAS, announcing the correction of two vulnerabilities related to command injection.
Although the developers have not yet disclosed many details about the problems found, it is reported that the bugs received the IDs CVE-2020-2490 and CVE-2020-2492, and were fixed as part of QTS 4.4.3.1421 build 20200907.
It is still unclear exactly how an attacker can exploit these bugs, and which OS components are vulnerable. It is only reported that these vulnerabilities can be used remotely, and given that both problems allow command injection, this may mean that the vulnerable device can be completely captured.
Let me remind you that this is the third serious problem of Qnap devices recently. So, in September 2020, the developers fixed two critical vulnerabilities in the Helpdesk application, reported that the company's NAS may be vulnerable to the Zerologon problem, in addition, in recent months, Qnap devices have been subjected to massive ransomware attacks by AgeLocker and Ch0raix. The latter, however, exploited old and long-known bugs.
Although the developers have not yet disclosed many details about the problems found, it is reported that the bugs received the IDs CVE-2020-2490 and CVE-2020-2492, and were fixed as part of QTS 4.4.3.1421 build 20200907.
It is still unclear exactly how an attacker can exploit these bugs, and which OS components are vulnerable. It is only reported that these vulnerabilities can be used remotely, and given that both problems allow command injection, this may mean that the vulnerable device can be completely captured.
Let me remind you that this is the third serious problem of Qnap devices recently. So, in September 2020, the developers fixed two critical vulnerabilities in the Helpdesk application, reported that the company's NAS may be vulnerable to the Zerologon problem, in addition, in recent months, Qnap devices have been subjected to massive ransomware attacks by AgeLocker and Ch0raix. The latter, however, exploited old and long-known bugs.