Threat: Critical

Audience:

IT Professionals and Managers

Purpose:

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The National Security Operations Centre (NSOC) is also available to provide additional assistance regarding the contents of this Alert to recipients as requested.

Overview:

The National Security Operations Centre (NSOC) is alerting the public to multiple vulnerabilities have been identified in QNAP’s Notes Station 3 version 3.9.x. These vulnerabilities, if successfully exploited, could lead to unauthorized access, arbitrary code execution, data leakage, or unauthorized access to critical resources.

The following vulnerabilities are addressed:

• CVE-2024-38643
  Severity: Critical
  CVSS Score: 9.3
  Missing authentication for critical functions, potentially allowing remote attackers to gain unauthorized access to the system.
• CVE-2024-38644
  Severity: High 
  CVSS Score: 8.7
  Command injection vulnerability, which could allow attackers with user-level access to execute arbitrary commands.
• CVE-2024-38645
  Severity: Critical
  CVSS Score: 9.4
  Server-side request forgery (SSRF) vulnerability, which could allow attackers to read sensitive application data.
• CVE-2024-38646
  Severity: High 
  CVSS Score: 8.4
  Incorrect permission assignment for critical resources, potentially allowing local attackers with administrator access to gain unauthorized access to data.

Affected Versions:

Notes Station 3 version 3.9.x (All versions prior to 3.9.7)

Recommendations: 

To address these vulnerabilities, users or system administrators should upgrade Notes Station 3 to version 3.9.7 or later. Detailed steps for mitigation can be found in QNAP’s official advisory.