Security Advisory for Access Control on QTS

Summary

Some reported QTS vulnerabilities may affect QNAP NAS devices running QTS 4.2.6 and earlier versions. Below are the details for each CVE.

• CVE-2019-7189: If exploited, the vulnerability can be used to modify user account information.
• CVE-2019-7190: If exploited, the vulnerability can be used to inject unexpected content through XML code.
• CVE-2019-7191: If exploited, the vulnerability can be used to inject unexpected parameters to system files.

We have already fixed these issues in the following QTS versions:

• QTS 4.4.1: build 20190626 and later
• QTS 4.4.0: build 20190627 and later
• QTS 4.3.6: build 20190704 and later
• QTS 4.3.4: build 20190701 and later
• QTS 4.3.3: build 20190629 and later
• QTS 4.2.6: build 20190629 and later

Recommendation

To fix these vulnerabilities, we recommend updating QTS to the latest version.

Installing the QTS Update

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.