Taiwanese
company
QNAP
has
released
updates
to
remediate
a
critical
security
flaw
affecting
its
network-attached
storage
(NAS)
devices
that
could
lead
to
arbitrary
code
injection.
Tracked
as
CVE-2022-27596,
the
vulnerability
is
rated
9.8
out
of
a
maximum
of
10
on
the
CVSS
scoring
scale.
It
affects
QTS
5.0.1
and
QuTS
hero
h5.0.1.
“If
exploited,
this
vulnerability
allows
remote
attackers
to
inject
malicious
code,”
QNAP
said
in
an
advisory
released
Monday.
The
exact
technical
specifics
surrounding
the
flaw
are
unclear,
but
the
NIST
National
Vulnerability
Database
(NVD)
has
categorized
it
as
an
SQL
injection
vulnerability.
This
means
an
attacker
could
send
specially
crafted
SQL
queries
such
that
they
could
be
weaponized
to
bypass
security
controls
and
access
or
alter
valuable
information.
“Just
as
it
may
be
possible
to
read
sensitive
information,
it
is
also
possible
to
make
changes
or
even
delete
this
information
with
a
SQL
injection
attack,”
according
to
MITRE.
The
vulnerability
has
been
addressed
in
versions
QTS
5.0.1.2234
build
20221201
and
later,
as
well
as
QuTS
hero
h5.0.1.2248
build
20221215
and
later.
Zero-day
vulnerabilities
in
exposed
QNAP
appliances
have
been
put
to
use
by
DeadBolt
ransomware
actors
to
breach
target
networks,
making
it
essential
to
update
to
the
latest
version
in
order
to
mitigate
potential
threats.
To
apply
the
updates,
users
are
advised
to
log
in
to
QTS
or
QuTS
hero
as
an
administrator,
navigate
to
Control
Panel
>
System
>
Firmware
Update,
and
select “Check
for
Update”
under
the “Live
Update”
section.
