Description Preview
A command injection vulnerability has been identified in QNAP NAS devices running legacy versions of the QTS operating system. This vulnerability allows attackers to execute arbitrary commands within a compromised application, potentially leading to full system compromise. The issue affects QTS versions prior to 4.3.6.1663 Build 20210504 and versions prior to 4.3.3.1624 Build 20210416, but does not impact QTS 4.5.3, QuTS hero h4.5.3, or QuTScloud c4.5.5.
Overview
This vulnerability (CVE-2021-28800) is a command injection flaw that exists in older versions of QNAP's QTS operating system. Command injection vulnerabilities occur when an application passes unsafe user-supplied data to a system shell. In this case, the vulnerability allows attackers to execute arbitrary commands with the privileges of the compromised application, potentially leading to unauthorized access, data theft, malware installation, or complete system takeover. The specific affected component within QTS has not been publicly disclosed, but the vulnerability is present in multiple legacy QTS versions.
Remediation
To address this vulnerability, QNAP users should take the following actions:
-
Update to the latest version of QTS:
- For QTS 4.3.6, update to version 4.3.6.1663 Build 20210504 or later
- For QTS 4.3.3, update to version 4.3.3.1624 Build 20210416 or later
- Alternatively, consider upgrading to QTS 4.5.3 or later which is not affected
-
To update QTS:
- Log in to QTS as an administrator
- Navigate to Control Panel > System > Firmware Update
- Select "Check for Update" and follow the prompts to install the latest firmware
-
Additional security measures:
- Ensure your NAS is not directly exposed to the internet
- Configure proper firewall rules to limit access to the NAS
- Use strong, unique passwords and enable two-factor authentication
- Regularly backup critical data stored on the NAS
References
- QNAP Security Advisory: https://www.qnap.com/zh-tw/security-advisory/qsa-21-28
- CVE-2021-28800 Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28800
- QNAP Firmware Download Center: https://www.qnap.com/en/download
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Finance and InsuranceFinance and Insurance
- Health Care & Social AssistanceHealth Care & Social Assistance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- ManufacturingManufacturing
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
