On 4 November 2023, QNAP published security advisories for two critical command injection vulnerabilities impacting multiple versions of QNAP operating systems and applications related to the vendor’s network-attached storage (NAS) devices. Both vulnerabilities have been given critical CVSS scores (CVE-2023-23368: 9.8, CVE-2023-23369: 9.0) and both can lead to unauthenticated, remote threat actors executing commands if successfully exploited.
At this time, Arctic Wolf has not identified any reports of active exploitation or publicly available proof of concepts. Historically, threat actors have targeted QNAP NAS products with multiple vulnerabilities being added to CISA’s Known Exploited Vulnerabilities Catalog after threat actors leveraged them to deploy ransomware.
Recommendations for CVE-2023-23368 & CVE-2023-23369
Upgrade Vulnerable QNAP Products to Fixed Versions
Arctic Wolf strongly recommends applying latest security updates to affected QNAP products.
Product
|
Affected Version
|
CVE
|
Fixed Version
|
QTS | 5.0.x | CVE-2023-23368 | QTS 5.0.1.2376 build 20230421 and later |
4.5.x | CVE-2023-23368 | QTS 4.5.4.2374 build 20230416 and later | |
5.1.x | CVE-2023-23369 | QTS 5.1.0.2399 build 20230515 and later | |
4.3.6 | CVE-2023-23369 | QTS 4.3.6.2441 build 20230621 and later | |
4.3.4 | CVE-2023-23369 | QTS 4.3.4.2451 build 20230621 and later | |
4.3.3 | CVE-2023-23369 | QTS 4.3.3.2420 build 20230621 and later | |
4.2.x | CVE-2023-23369 | QTS 4.2.6 build 20230621 and later | |
QuTS hero | h5.0.x | CVE-2023-23368 | QuTS hero h5.0.1.2376 build 20230421 and later |
h4.5.x | CVE-2023-23368 | QuTS hero h4.5.4.2374 build 20230417 and later | |
QuTScloud | c5.0.x | CVE-2023-23368 | QuTScloud c5.0.1.2374 and later |
Multimedia Console | 2.1.x | CVE-2023-23369 | Multimedia Console 2.1.2 (2023/05/04) and later |
1.4.x | CVE-2023-23369 | Multimedia Console 1.4.8 (2023/05/05) and later | |
Media Streaming add-on | 500.1.x | CVE-2023-23369 | Media Streaming add-on 500.1.1.2 (2023/06/12) and later |
500.0.x | CVE-2023-23369 | Media Streaming add-on 500.0.0.11 (2023/06/16) and later |
Please follow your organisation’s patching and testing guidelines to avoid any operational impact.