SB2018112312 - Multiple vulnerabilities in QNAP QTS 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018112312

SB2018112312 - Multiple vulnerabilities in QNAP QTS

Published: November 23, 2018

Security Bulletin ID SB2018112312
Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 25% Low 75%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Command injection (CVE-ID: CVE-2018-14746)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to insufficient filtering of user-provided input. A remote attacker can supply specially crafted input to inject and execute arbitrary commands with root privileges.


2) Denial of service (CVE-ID: CVE-2018-14747)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to unspecified flaw. A remote attacker can cause the NAS media server to crash.


3) Denial of service (CVE-ID: CVE-2018-14748)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to unspecified flaw. A remote attacker can power off the NAS.


4) Buffer overflow (CVE-ID: CVE-2018-14749)

The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.

The vulnerability exists due to buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash or execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.


Remediation

Install update from vendor's website.

References