Source URL: https://www.theregister.com/2024/11/26/qnap_veritas_vulnerabilities/
Source: The Register
Title: QNAP and Veritas dump 30-plus vulns over the weekend
Feedly Summary: Just what you want to find when you start a new week
Taiwanese NAS maker QNAP addressed 24 vulnerabilities across various products over the weekend.…
AI Summary and Description: Yes
Summary: QNAP has addressed 24 vulnerabilities across various products, including critical issues that could lead to severe security risks such as code execution and data exposure. Similarly, Veritas has disclosed critical vulnerabilities affecting its Enterprise Vault platform related to deserialization issues in .NET Remoting.
Detailed Description:
The text highlights critical vulnerabilities reported in two separate technological contexts: QNAP and Veritas.
– **QNAP Vulnerabilities**:
– A total of **24 vulnerabilities** were identified, with two classified as critical and nine as high severity.
– Key security risks include:
– Code execution
– File read/write access
– Authentication bypass
– Information disclosure
– Elevation of privileges
– Specific products affected:
– **Notes Station 3**: Notably impacted, with the critical vulnerabilities localized here.
– Other affected products include:
– Photo Station
– AI Core
– QuLog Center
– QuRouter
– Media Streaming Add-on
– QTS and QuTS hero
– Older versions of QTS and QuTS hero are susceptible to existing OpenSSH flaws, requiring users on the 5.1 series to apply fixes unless upgrading to the newer 5.2 series.
– Recently, QNAP had to retract a firmware update due to functional issues reported by users, followed by a rapid re-release of a stable version.
– **Veritas Vulnerabilities**:
– Seven critical vulnerabilities rated 9.8 in severity have been disclosed affecting the **Veritas Enterprise Vault**.
– The vulnerabilities stem from deserialization issues linked to .NET Remoting, which could enable execution of arbitrary code, allowing attackers to gain control of affected systems.
– All currently supported and possibly legacy versions of the platform are vulnerable.
– The vendor plans to release patches in version 15.2 by Q3 2025, highlighting a significant delay in remediation.
– Successful exploitation conditions include:
– Attacker needs RDP access to vulnerable servers.
– Exploits depend on configuration weaknesses and the attackers possessing detailed knowledge about the system.
Implications for Security and Compliance Professionals:
– The QNAP vulnerabilities underscore the necessity for regular updates and audits of NAS systems, especially for critical applications like collaborative note-taking and data management.
– The issue with Veritas reveals a critical risk associated with the handling of untrusted data, emphasizing the importance of strong access control and firewall configurations.
– Organizations using these platforms should prioritize patch management and assess potential impact areas based on these disclosures to mitigate risks effectively.
The analysis of these vulnerabilities serves as a crucial reminder to professionals involved in security, compliance, and IT management about the escalating need for proactive measures to secure their infrastructure against such risks.