Alert GCSA-22089 - Vulnerabilita' multiple in NAS QNAP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

******************************************************************

Alert ID: GCSA-22089
Data: 16 Agosto 2022
Titolo: Vulnerabilita' multiple in NAS QNAP

******************************************************************


:: Descrizione del problema

Sono state identificate vulnerabilita' multiple nei NAS QNAP,
che potrebbero consentire ad un attaccante remoto di eseguire codice arbitrario,
ottenere privilegi piu' elevati e l'accesso a informazioni sensibili,
indurre condizioni di Denial of Service ed oltrepassare restrizioni di sicurezza su un sistema che ne sia affetto


:: Software interessato

QTS 4.2.x
QTS 4.3.x
QTS 4.5.x/4.4.x
QTS 5.0.0
QTS 5.0.1
QuTS hero h4.5.x
QuTS hero h5.0.0
QuTS hero h5.0.1
QuTScloud c5.0.1


:: Impatto

Denial of Service
Elevation of Privilege
Remote Code Execution
Information Disclosure
Cross-Site Scripting
Security Restriction Bypass


:: Soluzioni

Aggiornare i sistemi alle ultime versioni rilasciate:

https://www.qnap.com/en/security-advisory/qsa-22-11
https://www.qnap.com/en/security-advisory/qsa-22-22
https://www.qnap.com/en/security-advisory/qsa-22-23


:: Riferimenti

QNAP Security Advisory:
https://www.qnap.com/en/security-advisory/qsa-22-11
https://www.qnap.com/en/security-advisory/qsa-22-22
https://www.qnap.com/en/security-advisory/qsa-22-23

Mitre CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22721
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32746


GARR CERT Security Alert - subscribe/unsubscribe:
https://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----

iD8DBQFi+1+5wZxMk2USYEIRCJDiAJ0ROA/FM/utel1jl2Zt8RlhUztgugCgocJg
ExwUnxVjcmcuUTnwarixxQQ=
=3Drq
-----END PGP SIGNATURE-----