Security ID : NAS-201712-15
Security Advisory for Buffer Overflow Vulnerabilities in QTS
Release date : December 15, 2017
CVE identifier : CVE-2017-17027 | CVE-2017-17028 | CVE-2017-17029 | CVE-2017-17030 | CVE-2017-17031 | CVE-2017-17032 | CVE-2017-17033
Affected products:
• For QTS 4.2.6: 4.2.6 build 20171026 and earlier
• For QTS 4.3.3: 4.3.3.0378 build 20171117 and earlier
• For QTS 4.3.4: 4.3.4.0387 (Beta 2) build 20171116 and earlier
Severity
High
Status
Resolved
Summary
Multiple buffer overflow vulnerabilities were recently found in QTS 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 (Beta 2) build 20171116 and earlier. If exploited, these vulnerabilities may allow remote attackers to run arbitrary code on NAS devices.
We have already patched these vulnerabilities in the following QTS versions:
- 4.2.6 build 20171208
- 4.3.3.0396 build 20171205 and later
- 4.3.4.0411 (Beta 3) build 20171208 and later
Recommendations
To resolve the issue, you must update QTS to the following versions:
- For QTS 4.2.6: 4.2.6 build 20171208
- For QTS 4.3.3: 4.3.3.0396 build 20171205 and later
- For QTS 4.3.4: 4.3.4.0411 (Beta 3) build 20171208 and later
An exploit of one of these vulnerabilities has been made public. We strongly recommend users to update QTS as soon as possible.
Updating QTS
- Log on to QTS as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Acknowledgements:
• Security researcher @nervoir, together with vulnerability researchers from Trend Micro Zero-Day Initiative (ZDI), disclosed these vulnerabilities.
• A security researcher from TRUEL IT disclosed CVE-2017-17033 through Beyond Security’s SecuriT
Revision History:
• V 1.1 (January 3, 2018) - Updated recommendations
• V1.0 (December 15, 2017) - Published