QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.
Command Injection Vulnerability in the Media Streaming Add-On
Release date: October 22, 2021
Security ID: QSA-21-44
Severity rating: High
CVE identifier: CVE-2021-34362
Affected products: QNAP NAS running the Media Streaming add-on
Summary
A command injection vulnerability has been reported to affect QNAP NAS running the Media Streaming add-on. If exploited, this vulnerability allows remote attackers to run arbitrary commands.
We have already fixed this vulnerability in the following versions of the Media Streaming add-on:
- QTS 5.0.0: Media Streaming add-on 500.0.0.3 (2021/08/20) and later
- QTS 4.5.4: Media Streaming add-on 500.0.0.3 (2021/08/20) and later
- QTS 4.3.6: Media Streaming add-on 430.1.8.12 (2021/08/20) and later
- QTS 4.3.3: Media Streaming add-on 430.1.8.12 (2021/09/29) and later
- QuTS hero h5.0.0: Media Streaming add-on 500.0.0.3 (2021/08/20) and later
Recommendation
To fix the vulnerability, we recommend updating the Media Streaming add-on to the latest version.
Updating the Media Streaming Add-On
- Log on to QTS as administrator.
- Open the App Center and then click
.
A search box appears. - Type “Media Streaming add-on” and then press ENTER.
The Media Streaming add-on appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your Media Streaming add-on is already up to date. - Click OK.
The application is updated.
.Acknowledgements: Tony Martin, a security researcher
Revision History: V1.0 (October 22, 2021) – Published If you have any questions regarding this issue, please contact us at https://www.qnap.com/go/support-ticket/.
