Search

安全ID : QSA-20-18

Command Injection Vulnerability in QES

  • 发布日期 : December 23, 2020

  • 通用漏洞披露 : CVE-2016-6903

  • 受影响产品: QNAP NAS running QES

严重程度

Important

状态

已解决

Summary

A command injection vulnerability has been reported to affect earlier versions of QES. If exploited, this vulnerability could allow remote attackers to run arbitrary commands in Ishell.

QNAP has already fixed the issue in QES 2.1.1 Build 20201006 and later.

Recommendation

To fix this vulnerability, we recommend updating QES to the latest version.

Installing the QES Update

  1. Log on to QES as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QES downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

致谢: TIM Security Red Team Research

修订历史: V1.0 (December 23, 2020) - Published

选择规格

      显示更多 隐藏更多
      open menu
      back to top