QNAP QTS/QuTS Null Pointer DoS (pre-5.1.0.2444) via Authenticated Admin
CVE-2023-32970 Published on October 13, 2023
QTS, QuTS hero, QuTScloud
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network.
QES is not affected.
We have already fixed the vulnerability in the following versions:
QuTS hero h5.0.1.2515 build 20230907 and later
QuTS hero h5.1.0.2453 build 20230708 and later
QuTS hero h4.5.4.2476 build 20230728 and later
QuTScloud c5.1.0.2498 and later
QTS 5.1.0.2444 build 20230629 and later
QTS 4.5.4.2467 build 20230718 and later
Vulnerability Analysis
CVE-2023-32970 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
Products Associated with CVE-2023-32970
Want to know whenever a new CVE is published for QNAP products? stack.watch will email you.
Affected Versions
QNAP Systems Inc. QuTS hero:- Version h5.0.x and below h5.0.1.2515 build 20230907 is affected.
- Version h5.1.x and below h5.1.0.2453 build 20230708 is affected.
- Version h4.5.x and below h4.5.4.2476 build 20230728 is affected.
- Version c5.x and below c5.1.0.2498 is affected.
- Version 5.1.x and below 5.1.0.2444 build 20230629 is affected.
- Version 4.5.x and below 4.5.4.2467 build 20230718 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.