CVE-2024-32771

06.09.2024, 17:15

An improper restriction of excessive authentication attempts vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network authenticated administrators to perform an arbitrary number of authentication attempts via unspecified vectors.
QuTScloud is not affected.

We have already fixed the vulnerability in the following versions:
QTS 5.2.0.2782 build 20240601 and later
QuTS hero h5.2.0.2782 build 20240601 and later

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	2.6 LOW	ADJACENT_NETWORK	HIGH	HIGH	CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
qnap	CNA	2.6 LOW	ADJACENT_NETWORK	HIGH	HIGH	CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Vendor	Product	Version
qnap	qts	5.1.0.2348:build_20230325
qnap	qts	5.1.0.2399:build_20230515
qnap	qts	5.1.0.2418:build_20230603
qnap	qts	5.1.0.2444:build_20230629
qnap	qts	5.1.0.2466:build_20230721
qnap	qts	5.1.1.2491:build_20230815
qnap	qts	5.1.2.2533:build_20230926
qnap	qts	5.1.3.2578:build_20231110
qnap	qts	5.1.4.2596:build_20231128
qnap	qts	5.1.5.2645:build_20240116
qnap	qts	5.1.5.2679:build_20240219
qnap	qts	5.1.6.2722:build_20240402
qnap	qts	5.1.7.2770:build_20240520
qnap	qts	5.1.8.2823:build_20240712
qnap	qts	5.2.0.2737:build_20240417
qnap	qts	5.2.0.2744:build_20240424

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-307 - Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References

https://www.qnap.com/en/security-advisory/qsa-24-28