QNAP had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.
Security Advisory for Unquoted Service Path Vulnerability in QNAP NetBak Replicator
Release date: December 2, 2019
Security ID: NAS-201912-02
Severity rating: Low
CVE identifier: CVE-2019-7201
Affected products: QNAP NetBak Replicator 4.5.11.816 and earlier
Summary
An unquoted service path vulnerability is reported to affect the service “QVssService” in QNAP NetBak Replicator. This vulnerability could allow an authorized but non-privileged local user to execute arbitrary code with elevated system privileges.
We have already fixed this issue in QNAP NetBak Replicator 4.5.12.1108.
Recommendation
To avoid the attack, we recommend updating QNAP NetBak Replicator to the latest version.
Installing and Running the Latest Version of QNAP NetBak Replicator
- Go to https://www.qnap.com/go/
utilities/essentials - Download the NetBak Replicator installer.
- Run the installer.
- Select Yes to allow NetBak Replicator to makes changes to your device.
- Select a language.
- Click OK.
NetBak Replicator Setup Wizard appears. - Click Next.
- Accept the terms of the License Agreement.
- Click Next.
- Select the components that you want to install.
- Click Next.
- Specify the installation location.
- Click Next.
- Configure user privilege settings.
- Click Install.
Windows installs NetBak Replicator. - Click Next.
- Click Finish.
NetBak Replicator is installed.