Taipei, Taiwan, November 21, 2017 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.
Security Advisory for Command Injection in Video Station
Release date: 2017/11/21
Security ID: NAS-201711-21
Severity rating: High
CVE identifier: CVE-2017-13071
Affected products: Video Station versions 5.1.3 (for QTS 4.3.3), 5. 2.0 (for QTS 4.3.4), and earlier
Summary
A command injection vulnerability was recently found in Video Station. If exploited, this vulnerability may allow a remote attacker to run arbitrary commands on the NAS. We have already patched this vulnerability in Video Station versions 5.1.4 and 5.2.1.
Recommendations
To resolve the issue, you must update your Video Station to the latest version:
- For QTS 4.3.3: Video Station 5.1.4
- For QTS 4.3.4: Video Station 5.2.1
Upgrading to Video Station 5.1.4 or 5.2.1
- Log on to QTS as administrator.
- Open the App Center, and then click the Search icon.
A search box appears.
- Type “Video Station”, and then press ENTER.
The Video Station application appears in the search results list.
- Click Update.
A confirmation message appears.
- Click OK.
The application is updated.
Acknowledgements: GeekPwn, Li Yan Long (李衍龙) and Jie Wei (解炜)
Revision History: V1.0 (November 21, 2017) - Published
If you have any questions regarding this issue, please contact us at
http://helpdesk.qnap.com/.