Cyber Resilience

CVE-2024-21899

Critical

Published: 08 March 2024

Published
08 March 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1141 93.7th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21899 is a critical-severity Improper Authentication (CWE-287) vulnerability in Qnap Qts. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-21899 is an improper authentication vulnerability, tracked under CWE-287, that affects multiple QNAP operating system versions including QTS, QuTS hero, and QuTScloud. The flaw carries a CVSS 3.1 score of 9.8 and permits unauthenticated network-based attacks that can fully compromise system confidentiality, integrity, and availability.

An attacker with network access can exploit the weakness without credentials or user interaction to bypass authentication controls and gain unauthorized access to the affected QNAP device. Successful exploitation allows the attacker to compromise the security of the system, potentially leading to full control over stored data and services.

QNAP has addressed the issue in the security advisory QSA-24-09 by releasing fixed builds: QTS 5.1.3.2578 build 20231110 and later, QTS 4.5.4.2627 build 20231225 and later, QuTS hero h5.1.3.2578 build 20231110 and later, QuTS hero h4.5.4.2626 build 20231225 and later, and QuTScloud c5.1.5.2651 and later. The EPSS score remains flat at 0.1141 with no material rise after disclosure.

EU & UK References

Vulnerability details

An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following…

more

versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
qts
4.5.4.2627, 5.1.3.2578 · ≤ 4.5.4.2627 · 5.1.0 — 5.1.3.2578
qnap
quts hero
h4.5.4.2626, h5.1.3.2578 · ≤ h4.5.4.2626 · h5.1.0 — h5.1.3.2578
qnap
qutscloud
≤ c5.1.5.2651

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-287

Detects unauthorized successful logons resulting from improper authentication implementations.

addresses: CWE-287

Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.

addresses: CWE-287

Security awareness training instructs users on secure authentication practices and avoiding credential compromise.

addresses: CWE-287

Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.

addresses: CWE-287

Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.

addresses: CWE-287

Session content review can reveal authentication bypasses or failures in session establishment.

addresses: CWE-287

Review of authentication-related audit records can detect improper authentication mechanisms or bypasses.

addresses: CWE-287

Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.

References