Taipei, Taiwan, December 15, 2017 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.
Security Advisory for Buffer Overflow Vulnerabilities in QTS
Release date: 2017/12/15
Security ID: NAS-201712-15
Severity rating: High
CVE identifier: CVE-2017-17027 | CVE-2017-17028 | CVE-2017-17029 | CVE-2017-17030 | CVE-2017-17031 | CVE-2017-17032 | CVE-2017-17033
Affected products: All QNAP NAS running QTS 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 (Beta 2) build 20171116 and earlier
Summary
Multiple buffer overflow vulnerabilities were recently found in QTS 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 (Beta 2) build 20171116 and earlier. If exploited, these vulnerabilities may allow remote attackers to run arbitrary code on NAS devices.
We have already patched these vulnerabilities in the following QTS versions:
- 4.2.6 build 20171208
- 4.3.3.0396 build 20171205 and later
- 4.3.4.0411 (Beta 3) build 20171208 and later
Recommendations
To resolve the issue, you must update QTS to the following versions:
- For QTS 4.2.6: 4.2.6 build 20171208
- For QTS 4.3.3: 4.3.3.0396 build 20171205 and later
- For QTS 4.3.4: 4.3.4.0411 (Beta 3) build 20171208 and later
Updating QTS
- Log on to QTS as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Acknowledgements:
- Security researcher @nervoir, together with vulnerability researchers from Trend Micro Zero-Day Initiative (ZDI), disclosed these vulnerabilities.
- A security researcher from TRUEL IT disclosed CVE-2017-17033 through Beyond Security’s SecuriTeam Secure Disclosure program.
Revision History: V1.0 (December 15, 2017) - Published
If you have any questions regarding this issue, please contact us at
http://helpdesk.qnap.com/.