QNAP PSIRT’s Official Statement on Security Reports: Insights from WatchTowr Labs

QNAP Systems, Inc. (QNAP) is dedicated to upholding the highest security standards for our products. Recently, we were made aware of several vulnerabilities in our QTS operating system, as reported by WatchTowr Labs. We want to address these findings and outline the actions we are taking to resolve these issues.

We greatly appreciate the efforts of security researchers in identifying potential vulnerabilities in our products. Out of the fifteen vulnerabilities reported, we have assigned CVE IDs to those that have been confirmed. We are pleased to announce that all confirmed vulnerabilities have been addressed in the QTS 5.1.7 / QuTS hero h5.1.7, which is available now.

One of the reported vulnerabilities, CVE-2024-27130, was caused by the unsafe use of the ‘strcpy’ function in the No_Support_ACL function. This vulnerability can be exploited when sharing media with external users. However, we want to assure our users that all QTS 4.x and 5.x versions have Address Space Layout Randomization (ASLR) enabled, significantly increasing the difficulty for attackers to exploit this vulnerability. Therefore, we have assessed its severity as Medium. Nevertheless, we strongly recommend updating to QTS 5.1.7 / QuTS hero h5.1.7 as soon as possible for enhanced protection.

We understand that coordination issues may have occurred between the product release schedule and the disclosure of these vulnerabilities, and we regret any inconvenience caused. To prevent such issues in the future, we are taking steps to improve our processes and coordination.

Moving forward, we are committed to promptly addressing and releasing fixes for High or Critical severity vulnerabilities within 45 days. For Medium severity vulnerabilities, we will complete remediation and release fixes within 90 days.

We apologize for any inconvenience caused and remain dedicated to continuously enhancing our security measures. Our goal is to collaborate closely with researchers worldwide to ensure the utmost security for our products. We strongly recommend regularly updating your system to the latest version to benefit from vulnerability fixes. Please check the product support status for the latest updates available for your NAS model.

Thank you for your understanding and ongoing support.

QNAP Product Security Incident Response Team (PSIRT)
Security Advisory: QSA-24-20, QSA-24-23

Background Information

---

About QNAP: QNAP Systems, founded in Taipei in 2004 by Meiji Chang, has become a global leader in NAS solutions with a strong focus on innovation and user-friendly design. Their strategic partnerships with industry giants and their commitment to pushing the boundaries of what NAS devices can do make them a noteworthy player in the tech world.

  

Technology Explained

---

NAS: Network Attached Storage (NAS) is a specialized storage device or server that provides centralized data storage and access over a network, usually using Ethernet connections. NAS systems are designed to offer a convenient and efficient way to store and share files among multiple users or devices within a home or office environment. Unlike traditional storage solutions, NAS devices operate independently and have their own operating systems and management interfaces. They are characterized by easy setup and configuration, making them accessible even to users with limited technical expertise. NAS devices can offer various features, including data redundancy through RAID configurations, remote access over the internet, automatic backup, media streaming, and even application hosting in some advanced models. As a versatile and user-friendly storage solution, NAS has become a popular choice for both personal and small business use.