Endpoint Security , Internet of Things Security

QNAP Systems Fixes Bugs in QuRouter and Notes Station 3

Exploits Could Allow Remote Command Execution and Access
QNAP Systems Fixes Bugs in QuRouter and Notes Station 3
Image: QNAP

Taiwanese network-attached storage manufacturer QNAP Systems patched multiple flaws in its operating system and applications that could allow attackers to compromise devices.

See Also: SASE: Recognizing the Challenges of Securing a Hybrid Workforce

QNAP disclosed on Saturday multiple vulnerabilities in several network-attached storage, NAS, models, including three critical flaws with CVSS scores above 9.0. The disclosure included multiple flaws in QNAP's router operating system QuRouter OS.

Other QNAP products impacted by the vulnerabilities include Photo Station, AI Core, QuLog Center, Media Streaming Add-on, QTS and QuTS hero.

The two critical command injection vulnerabilities in QuRouter 2.4.x, tracked as CVE-2024-48860 and CVE-2024-48861, could allow remote attackers to execute arbitrary commands. CVE-2024-48860 is an OS command injection flaw and rated a critical 9.5 on the CVSS scale.

These devices are widely adopted in industrial IoT, smart cities, transportation, healthcare and other critical sectors for managing IoT connectivity.

QNAP patched the vulnerabilities in firmware version 2.4.3.106 and later.

This is the second time in a year QNAP Systems patched QTS and QuTS hero products. QNAP Systems in March released a patch for these products and also included QuTScloud products that exposed network-attached storage devices to unauthorized access.

Notes Station 3: Broad Attack Surface

The hardware vendor's advisory said QNAP's collaborative note-taking and sharing app, Notes Station 3 - versions 3.9.x, faced significant impact from vulnerabilities, including two critical bugs specific to the app and two additional high-severity flaws. These flaws include:

  • CVE-2024-38643: Missing authentication allows remote attackers to gain unauthorized system access and execute certain functions.
  • CVE-2024-38644: A command injection flaw enables attackers with user access to execute arbitrary commands.
  • CVE-2024-38645: A server-side request forgery vulnerability lets attackers read sensitive application data.
  • CVE-2024-38646: Incorrect permission assignments grant unauthorized access to critical resources. The vulnerability allows local authenticated attackers with administrator access to read or modify the resource.

Notes Station 3 is a note-taking app integrated into QNAP NAS devices, catering to various users. SMBs use it for secure project collaboration and documentation, while creative teams leverage its multimedia support.

IT teams manage technical logs, educators store lecture notes and research, home users organize personal projects, and remote teams collaborate privately with strong data privacy features.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.