Security ID : QSA-21-16
Command Injection Vulnerability in Malware Remover
Release date : May 13, 2021
CVE identifier : CVE-2020-36198
Affected products: QNAP NAS running Malware Remover 4.x
Severity
Medium
Status
Resolved
Summary
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands.
We have already fixed the issue in the following versions:
- QTS 4.4.x: Malware Remover 4.6.1.0 and later
QNAP NAS running Malware Remover 3.x are not affected.
Recommendation
To fix the vulnerability, we recommend updating Malware Remover to the latest version.
Updating Malware Remover
- Log on to QTS as administrator.
- Open the App Center and then click . A search box appears.
- Type “Malware Remover” and then press ENTER.
Malware Remover appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your Malware Remover is already up to date. - Click OK.
The application is updated.
Acknowledgements: Trend Micro ZDI - ZDI-CAN-12891
Revision History: V1.0 (May 13, 2021) - Published