Critical Security Alerts: Veeam and QNAP Address Vulnerabilities in Their Software

In cybersecurity, staying one step ahead of potential threats is crucial. Two significant security updates have been released, and it’s imperative for organizations to take action promptly. Let’s dive into the details of these high-priority alerts. 

Veeam ONE IT Monitoring Software Vulnerabilities 

Veeam, a well-known name in IT infrastructure monitoring, has identified four critical vulnerabilities within its Veeam ONE platform.  

Vulnerabilities Identified:  

1. CVE-2023-38547 (CVSS score: 9.9): This unspecified flaw could be exploited by an unauthenticated user to gain information about the SQL server connection used by Veeam ONE to access its configuration database. This could result in remote code execution on the SQL server. 
2. CVE-2023-38548 (CVSS score: 9.8): A vulnerability that could allow an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service. 
3. CVE-2023-38549 (CVSS score: 4.5): A cross-site scripting (XSS) vulnerability that could be exploited by a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role. 
4. CVE-2023-41723 (CVSS score: 4.3): A vulnerability that allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule.

The gravity of these vulnerabilities is underlined by recent incidents where threat actors, including known groups like FIN7 and BlackCat ransomware, exploited critical flaws in Veeam’s backup software. Hence, taking immediate action is essential. 

Recommended Actions for Veeam Users: 

• Update to one of the recommended versions with the necessary fixes: Veeam ONE 11 (11.0.0.1379), Veeam ONE 11a (11.0.1.1880), or Veeam ONE 12 P20230314 (12.0.1.2591). 
• Administrators should stop Veeam ONE monitoring and reporting services on impacted servers, replace existing files with the hotfix, and restart the services to deploy the hotfixes. 
• Detailed instructions can be found in Veeam’s KB article KB4508. 

QNAP QTS OS and Apps Vulnerabilities 

QNAP, a network-attached storage (NAS) device provider, has identified critical vulnerabilities in its QTS operating system and associated applications. These vulnerabilities could allow remote attackers to execute arbitrary commands, potentially compromising data stored on NAS devices. 

Vulnerabilities Identified: 

1. CVE-2023-23368 (Severity: 9.8): A critical command injection flaw affecting QTS versions 5.0.x and 4.5.x, QuTS hero versions h5.0.x and h4.5.x, and QuTScloud version c5.0.1. 
2. CVE-2023-23369 (Severity: 9.0): Another critical command injection flaw impacting QTS versions 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x, along with Multimedia Console versions 2.1.x and 1.4.x, and Media Streaming add-on versions 500.1.x and 500.0.x.

These vulnerabilities pose a significant risk, as NAS devices are commonly used for data storage, making them attractive targets for cybercriminals. 

Recommended Actions for QNAP Users: 

• Install the available security updates as soon as possible. Administrators can conveniently update their QTS, QuTS hero, or QuTScloud systems by accessing the Control Panel, selecting System, and then clicking on Firmware Update. 
• Users with Multimedia Console and Media Streaming add-ons are advised to update via the App Center. 

By taking these preventive measures, organizations can fortify their QNAP NAS devices against potential exploits and ensure the security of their stored data. 

Software and System Vulnerabilities: A Continuous Challenge 

Vulnerabilities in software and systems are a persistent concern in the cybersecurity landscape. Veeam and QNAP have acted swiftly to address critical flaws in their products, and it’s now up to organizations to do their part. Staying updated and implementing the recommended security measures is essential to protect valuable data and systems from potential threats.