Cybersecurity specialists report the detection of a critical vulnerability affecting QNAP QTS and QNAP QuTS hero, two versions of the operating system for network attached storage (NAS) equipment developed by QNAP.
In the report, the flaw was described as a heap-based buffer overflow that exists due to a limit error when Apple File Protocol (AFP) is enabled. Remote threat actors could pass specially crafted data to affected applications to trigger the error and execute remote code on the affected system.
This is a highly severe vulnerability and its successful exploitation would allow the total compromise of the exposed systems. The flaw received a score of 8.5/10 according to the Common Vulnerability Scoring System (CVSS) and does not yet receive CVE identification key.
According to the security alert, the flaws reside in the following versions of the vulnerable products:
- QNAP QTS: prior to 126.96.36.1999 20211008, 188.8.131.521 20211019, 184.108.40.2060 20210923 and 220.127.116.118 20211001
- QuTS hero: prior to h18.104.22.1683 build 20211006 and h22.214.171.1244 build 20211105
Although the flaw can be exploited by unauthenticated threat actors, no active exploitation attempts have been detected so far. Still, users of affected deployments are encouraged to upgrade as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science at Miami and started working as a cyber security analyst in 2008. He is actively working as an cyber security investigator. He also worked for security companies like Cisco. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.