Over the weekend, QNAP, a Taiwanese NAS maker, addressed 24 vulnerabilities in various products. These vulnerabilities included two critical and nine high-severity issues that could lead to serious consequences such as code execution, file read/write, authentication bypass, and elevation of privileges. Notes Station 3, a note-taking app, was one of the most affected products with critical bugs and high-severity issues.
Other QNAP products like Photo Station, AI Core, QuLog Center, QuRouter, Media Streaming Add-on, QTS, and QuTS hero were also impacted by these flaws. Older versions of the operating systems, QTS and QuTS hero, were found to be vulnerable to older OpenSSH flaws, posing potential security risks.
In response to the vulnerabilities, patches were released on November 23, addressing the issues. The vendor had to withdraw a QTS firmware update last week due to user reports of malfunctions after installation. QNAP conducted a thorough investigation and re-released a stable version within 24 hours.
On the other hand, Veritas, an enterprise data management company, disclosed seven critical vulnerabilities affecting their Enterprise Vault platform. These vulnerabilities were reported to the vendor in July and given a high severity rating. The issues are related to how the product handles untrusted data sent over a .NET Remoting TCP port, which could lead to code execution and system compromise.
Veritas plans to patch these vulnerabilities in version 15.2 of the platform, expected to be available in Q3 2025. The company provided mitigation practices to protect users in the meantime. The vulnerabilities require specific conditions to be met for successful exploitation, including the attacker having necessary privileges and knowledge of server details.
Both QNAP and Veritas have taken steps to address the issues and ensure the security of their products. It is essential for users to apply patches and follow best practices recommended by the vendors to mitigate any potential risks. By staying informed and proactive about security updates, users can protect their systems and data from potential threats.
