CVE-2024-21899
Published: 08 March 2024
Summary
CVE-2024-21899 is a critical-severity Improper Authentication (CWE-287) vulnerability in Qnap Qts. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-21899 is an improper authentication vulnerability, tracked under CWE-287, that affects multiple QNAP operating system versions including QTS, QuTS hero, and QuTScloud. The flaw carries a CVSS 3.1 score of 9.8 and permits unauthenticated network-based attacks that can fully compromise system confidentiality, integrity, and availability.
An attacker with network access can exploit the weakness without credentials or user interaction to bypass authentication controls and gain unauthorized access to the affected QNAP device. Successful exploitation allows the attacker to compromise the security of the system, potentially leading to full control over stored data and services.
QNAP has addressed the issue in the security advisory QSA-24-09 by releasing fixed builds: QTS 5.1.3.2578 build 20231110 and later, QTS 4.5.4.2627 build 20231225 and later, QuTS hero h5.1.3.2578 build 20231110 and later, QuTS hero h4.5.4.2626 build 20231225 and later, and QuTScloud c5.1.5.2651 and later. The EPSS score remains flat at 0.1141 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-19510
Vulnerability details
An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following…
more
versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects unauthorized successful logons resulting from improper authentication implementations.
Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.
Security awareness training instructs users on secure authentication practices and avoiding credential compromise.
Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.
Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.
Session content review can reveal authentication bypasses or failures in session establishment.
Review of authentication-related audit records can detect improper authentication mechanisms or bypasses.
Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.