Discrepancies between researchers have led to confusion. How do I secure my NAS?
Network storage specialists from QNAP have encountered a serious security issue that has raised a lot of questions in the professional community. We are talking about two new vulnerabilities discovered in early November. One of them, with the ID CVE-2023-50358, is a zero-day breach at all.
Notably, QNAP itself rated CVE-2023-50358 as a medium-severity threat (5.8 on the CVSS scale) due to its high implementation complexity and negligible impact, while researchers at Palo Alto Networks described it as critical, with low implementation complexity and a powerful impact, urging affected users to urgently protect your own IoT devices.
Such significant differences in vulnerability assessment caused some confusion among QNAP clients. The US National Vulnerability Database (NVD) is still working on an independent assessment of the severity of the vulnerability.
CVE-2023-50358 is related to command injection in the quick.cgi component of the QTS firmware used on most QNAP NAS devices. Exploiting the vulnerability allows you to execute arbitrary commands in the system.
Palo Alto research has shown that 289,665 IP addresses are vulnerable to CVE-2023-50358, with the largest number found in Germany and the United States.
Meanwhile, QNAP also reported a second vulnerability, CVE-2023-47218, which was discovered by a researcher from Rapid7. It is also associated with command injection and is rated at 5.8 points on the CVSS scale.
Details about the differences between vulnerabilities and specific recommendations for updating different firmware versions remain unclear due to the paucity of technical details in the recommendations from QNAP.
In order not to worry too much, it is recommended to simply update your devices to the latest version of the software, because the necessary fixes have already been released. Although the QNAP recommendations do provide some temporary mitigation measures.
Network storage specialists from QNAP have encountered a serious security issue that has raised a lot of questions in the professional community. We are talking about two new vulnerabilities discovered in early November. One of them, with the ID CVE-2023-50358, is a zero-day breach at all.
Notably, QNAP itself rated CVE-2023-50358 as a medium-severity threat (5.8 on the CVSS scale) due to its high implementation complexity and negligible impact, while researchers at Palo Alto Networks described it as critical, with low implementation complexity and a powerful impact, urging affected users to urgently protect your own IoT devices.
Such significant differences in vulnerability assessment caused some confusion among QNAP clients. The US National Vulnerability Database (NVD) is still working on an independent assessment of the severity of the vulnerability.
CVE-2023-50358 is related to command injection in the quick.cgi component of the QTS firmware used on most QNAP NAS devices. Exploiting the vulnerability allows you to execute arbitrary commands in the system.
Palo Alto research has shown that 289,665 IP addresses are vulnerable to CVE-2023-50358, with the largest number found in Germany and the United States.
Meanwhile, QNAP also reported a second vulnerability, CVE-2023-47218, which was discovered by a researcher from Rapid7. It is also associated with command injection and is rated at 5.8 points on the CVSS scale.
Details about the differences between vulnerabilities and specific recommendations for updating different firmware versions remain unclear due to the paucity of technical details in the recommendations from QNAP.
In order not to worry too much, it is recommended to simply update your devices to the latest version of the software, because the necessary fixes have already been released. Although the QNAP recommendations do provide some temporary mitigation measures.
