QNAP, a prominent network-attached storage (NAS) specialist, has disclosed two vulnerabilities, including a zero-day, in their systems. The coordinated disclosure with researchers at Unit 42 by Palo Alto Networks has led to confusion over the severity of the security problem. While QNAP assigned a middling 5.8 severity score to CVE-2023-50358, Unit 42 emphasized the critical impact and low attack complexity of these remote code execution vulnerabilities affecting IoT devices. The German Federal Office for Information Security (BSI) released an emergency alert, warning that successful exploits could lead to major damage.
The vulnerabilities are command injection flaws, with CVE-2023-50358 affecting QNAP’s QTS firmware and CVE-2023-47218 reported by Stephen Fewer, a security researcher at Rapid7. The disclosure timeline revealed a slight disagreement between QNAP and Rapid7, with QNAP publishing patches earlier than agreed upon. QNAP’s main focus in its disclosure appears to be highlighting the different patches available for various firmware versions, impacting QTS, QuTS hero, and QuTAcloud differently. Internet scans showed almost 290,000 IP addresses with vulnerable devices, with Germany and the US being the most exposed.
