QNAP and Veritas dump 30-plus vulns over the weekend

Just what you want to find when you start a new week

Updated Taiwanese NAS maker QNAP addressed 24 vulnerabilities across various products over the weekend.

The flaws include two critical and nine "high" severity vulnerabilities, potentially resulting in code execution, file read/write, authentication bypass, information disclosure, and elevation of privileges.

QNAP's Notes Station 3 (versions 3.9.x), a collaborative note-taking and sharing app, was arguably affected the worst, with both critical bugs localized to the product, as well as two other high-severity issues.

A range of other QNAP products were also among those affected by the flaws, including Photo Station, AI Core, QuLog Center, QuRouter, Media Streaming Add-on, QTS and QuTS hero.

The previous series of operating system versions for both QTS and QuTS hero – the OSes for the entry and mid-level NAS devices and the high-end and enterprise-level devices – also appear to be vulnerable to older OpenSSH flaws.

Both QTS (5.1.x) and QuTS hero (h5.1.x) were found to be vulnerable to CVE-2023-38408, CVE-2021-41617, and CVE-2020-14145. If upgrading to the 5.2 series isn't an option, there are some fixes available for the 5.1 series, according to the vendor's advisory.

The patches were released on November 23, a Saturday, but we're sure that wasn't to ensure they flew under the radar. Regardless, we asked QNAP about why it chose to disclose them all on Saturday and we'll update the article if it responds.

The vendor was forced to pull a QTS firmware update last week following a flurry of user reports that their NAS devices, once updated, suffered various malfunctions.

QNAP told The Register: "We recently released the QTS 5.2.2.2950 build 20241114 operating system update and received feedback from some users reporting issues with device functionality after installation.

"In response, QNAP promptly withdrew the operating system update, conducted a comprehensive investigation, and re-released a stable version of QTS 5.2.2.2950 build 20241114 within 24 hours."

Veritas's snail-paced patches

On the topic of weekend disclosures, a series of CVEs were published by the National Vulnerability Database on November 24, a Sunday, regarding previously disclosed bugs by enterprise data management biz Veritas.

Each of the seven vulnerabilities was given a preliminary 9.8 (critical) severity rating by MITRE using the CVSSv3 system and they all affect Veritas Enterprise Vault, the company's email archiving and enterprise data retention platform.

The CVEs are:

They were all reported to the vendor in July by researcher Sina Kheirkhah, via the Zero-Day Initiative (ZDI). A November 21 deadline to fix the issues applied to all the vulnerabilities – a deadline that has now passed.

Veritas originally disclosed the bugs – without CVEs – on November 15, along with a mitigation. It said it plans to patch them all in version 15.2 of the platform, the general availability of which is expected in Q3 2025.

As for why patching will take so long, we have no idea. We asked the vendor for answers and it promised to get them over to us quickly.

What we do know is that the vulnerabilities are all related to how the product handles the deserialization of untrusted data sent over a .NET Remoting TCP port.

"On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications," Veritas's advisory reads.

"These TCP ports can be exploited due to vulnerabilities that are inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server."

Successful exploitation can lead to code execution that could in turn lead to an attacker taking control of affected systems.

There are a few conditions that must be met for servers to be vulnerable. An attacker would need to have the necessary privileges to establish an RDP connection to a vulnerable server. This means they would need to be part of the RDP user group and know specific details, including the server's IP address, process IDs, dynamic TCP ports, and remotable object URIs.

A successful attack would also hinge on an improperly configured firewall on the server.

All currently supported versions are vulnerable and legacy versions may be too. The mitigation is outlined in the advisory and given the many monoths it's going to take for patches to be released, it's a good idea to get it applied. ®

Updated to add at 1114 UTC, November 26

Representatives of both QNAP and Veritas contacted The Register following publication. QNAP said: "According to QNAP's internal investigation, the issue caused by this update only affected limited models of TS-x53D series and TS-x51 series: HS-453DX, TBS-453DX, TS-251D, TS-253D, TS-653D, TS-453D, TS-453Dmini, TS-451D, TS-451D2. Other NAS models running this version remain unaffected and operate normally."

A Veritas spokesperson said: "On 15 November, Veritas issued a support advisory outlining best practices to completely mitigate a newly discovered vulnerability in Enterprise Vault. This guidance reinforces general best practices for the use of the product, such as limiting administrator access to administrators and keeping firewalls turned on. See here for the full advisory. Veritas is confident that, by following this basic guidance, users will be protected against the vulnerability. Given that this best practice resolves the vulnerability without the need for a patch, none was issued. More broadly, to add a further layer of protection for users, Veritas is rearchitecting elements of the Enterprise Vault code to protect against this type of vulnerability occurring in the future. This bigger update is the one mentioned in the advisory."

More about

TIP US OFF

Send us news


Other stories you might like