Security Advisory for Multiple SMB Vulnerabilities in QTS

Summary

Three vulnerabilities have been reported to affect all versions of SMB in QTS.

• CVE-2019-10218: Malicious servers can cause Samba client code to return server-supplied file names containing path separators to calling code.
• CVE-2019-14833: When the password contains multi-byte (non-ASCII) characters, the “check password script” does not receive the full password string.
• CVE-2019-14847: Users with the “get changes” extended access right can crash the AD DC LDAP server by requesting an attribute using the range syntax.

QNAP has fixed these issues in the following software versions.

SMB:

• QTS 4.4.1: build 20191109 and later
• QTS 4.3.6: build 20191212 and later
• QTS 4.3.4: build 20191107 and later
• QTS 4.3.3: build 20191107 and later
• QTS 4.2.6: build 20191107 and later

Recommendation

To fix these vulnerabilities, we recommend updating QTS to the latest versions.

Important:

Regardless of which version of QTS you currently use, QNAP strongly recommends updating your QTS to the latest available version for your NAS model to ensure that your device can benefit from vulnerability fixes. You can check the product support status of your NAS model.

Installing the QTS Update

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.