// For flags

CVE-2021-34343

Buffer Overflow Vulnerability in QTS, QuTS hero, and QuTScloud

Severity Score

7.2
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later

Se ha reportado de una vulnerabilidad de desbordamiento del búfer de la pila que afecta al dispositivo QNAP que ejecuta QTS, QuTScloud, QuTS hero. Si es explotado, esta vulnerabilidad permite a atacantes ejecutar código arbitrario. Ya hemos corregido esta vulnerabilidad en las siguientes versiones de QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 y posteriores QTS 5.0.0.1716 build 20210701 y posteriores QuTScloud c4.5.6.1755 y posteriores QuTS hero h4.5.4.1771 build 20210825 y posteriores

*Credits: Bingwei Peng of VARAS@IIE
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-06-08 CVE Reserved
  • 2021-09-10 CVE Published
  • 2023-04-03 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-787: Out-of-bounds Write
CAPEC
References (1)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Qnap
Search vendor "Qnap"
Qts
Search vendor "Qnap" for product "Qts"
< 4.3.3.1693
Search vendor "Qnap" for product "Qts" and version " < 4.3.3.1693"
-
Affected
Qnap
Search vendor "Qnap"
Qts
Search vendor "Qnap" for product "Qts"
>= 4.3.4 < 4.3.6.1750
Search vendor "Qnap" for product "Qts" and version " >= 4.3.4 < 4.3.6.1750"
-
Affected
Qnap
Search vendor "Qnap"
Qts
Search vendor "Qnap" for product "Qts"
>= 4.4.0 < 4.5.4.1715
Search vendor "Qnap" for product "Qts" and version " >= 4.4.0 < 4.5.4.1715"
-
Affected
Qnap
Search vendor "Qnap"
Qts
Search vendor "Qnap" for product "Qts"
>= 5.0.0 < 5.0.0.1716
Search vendor "Qnap" for product "Qts" and version " >= 5.0.0 < 5.0.0.1716"
-
Affected
Qnap
Search vendor "Qnap"
Quts Hero
Search vendor "Qnap" for product "Quts Hero"
< h4.5.4.1771
Search vendor "Qnap" for product "Quts Hero" and version " < h4.5.4.1771"
-
Affected
Qnap
Search vendor "Qnap"
Qutscloud
Search vendor "Qnap" for product "Qutscloud"
< c4.5.6.1755
Search vendor "Qnap" for product "Qutscloud" and version " < c4.5.6.1755"
-
Affected