Endpoint Security , Internet of Things Security
QNAP Systems Fixes Bugs in QuRouter and Notes Station 3
Exploits Could Allow Remote Command Execution and AccessTaiwanese network-attached storage manufacturer QNAP Systems patched multiple flaws in its operating system and applications that could allow attackers to compromise devices.
See Also: SASE: Recognizing the Challenges of Securing a Hybrid Workforce
QNAP disclosed on Saturday multiple vulnerabilities in several network-attached storage, NAS, models, including three critical flaws with CVSS scores above 9.0. The disclosure included multiple flaws in QNAP's router operating system QuRouter OS.
Other QNAP products impacted by the vulnerabilities include Photo Station, AI Core, QuLog Center, Media Streaming Add-on, QTS and QuTS hero.
The two critical command injection vulnerabilities in QuRouter 2.4.x, tracked as CVE-2024-48860 and CVE-2024-48861, could allow remote attackers to execute arbitrary commands. CVE-2024-48860 is an OS command injection flaw and rated a critical 9.5 on the CVSS scale.
These devices are widely adopted in industrial IoT, smart cities, transportation, healthcare and other critical sectors for managing IoT connectivity.
QNAP patched the vulnerabilities in firmware version 2.4.3.106 and later.
This is the second time in a year QNAP Systems patched QTS and QuTS hero products. QNAP Systems in March released a patch for these products and also included QuTScloud products that exposed network-attached storage devices to unauthorized access.
Notes Station 3: Broad Attack Surface
The hardware vendor's advisory said QNAP's collaborative note-taking and sharing app, Notes Station 3 - versions 3.9.x, faced significant impact from vulnerabilities, including two critical bugs specific to the app and two additional high-severity flaws. These flaws include:
- CVE-2024-38643: Missing authentication allows remote attackers to gain unauthorized system access and execute certain functions.
- CVE-2024-38644: A command injection flaw enables attackers with user access to execute arbitrary commands.
- CVE-2024-38645: A server-side request forgery vulnerability lets attackers read sensitive application data.
- CVE-2024-38646: Incorrect permission assignments grant unauthorized access to critical resources. The vulnerability allows local authenticated attackers with administrator access to read or modify the resource.
Notes Station 3 is a note-taking app integrated into QNAP NAS devices, catering to various users. SMBs use it for secure project collaboration and documentation, while creative teams leverage its multimedia support.
IT teams manage technical logs, educators store lecture notes and research, home users organize personal projects, and remote teams collaborate privately with strong data privacy features.