QNAP Patches QTS Vulnerabilities Allowing NAS Device Takeover
Network-attached storage (NAS) maker QNAP today released security updates to address vulnerabilities that could enable attackers to take control of unpatched NAS devices following successful exploitation.
The eight vulnerabilities patched today by QNAP affect all QNAP NAS devices running vulnerable software.
The XSS vulnerabilities could allow remote attackers to inject malicious code within vulnerable application versions.
Leveraging command injection bugs enable them to elevate privileges, execute arbitrary commands on the compromised device or app, and take over the underlying operating system.
OS command injection and cross-site scripting
The list of software some of today’s security updates apply to includes the QNAP QuTS hero high-performance ZFS-based operating system and the QTS NAS OS.
QNAP has addressed the CVE-2020-2495, CVE-2020-2496, CVE-2020-2497, and CVE-2020-2498 XSS bugs, as well as the CVE-2019-7198 command injection bug in these versions of QTS and QuTS hero:• QuTS hero h188.8.131.522 build 20201031 and later
• QTS 184.108.40.2066 build 20201015 and later
• QTS 220.127.116.114 build 20200702 and later
• QTS 18.104.22.1683 build 20200608 and later
• QTS 22.214.171.1248 build 20200703 and later
• QTS 126.96.36.1995 build 20200611 and later
• QTS 4.2.6 build 20200611 and later
The NAS maker urges customers to update their systems to the latest version to prevent future attacks from impacting their devices.
To deploy QTS and QuTS hero security updates on your NAS device follow this procedure:
- Log on to QTS or QuTS hero as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update. QTS or QuTS hero downloads and installs the latest available update.
QNAP also fixed XSS bugs affecting Music Station (CVE-2020-2494), Multimedia Console (CVE-2020-2493), and Photo Station (CVE-2020-2491).
The full procedure you need to follow to update the apps to their latest versions on your NAS includes these steps:
- Log on to QTS as administrator.
- Open the App Center, then click , and type the name of the app in the search box that appears.
- Click Update. A confirmation message appears. Note: The Update button is not available if you are using the latest version.
- Click OK. The application is updated.
QNAP NAS devices are tempting targets
Given that NAS devices are commonly used for backup and file sharing, they are also regularly targeted by attackers who attempt to steal sensitive documents or deploy malware payloads.
QNAP warned customers in September of ongoing attacks targeting publicly exposed NAS devices with AgeLocker ransomware by exploiting older and vulnerable versions of Photo Station.
The company also warned of eCh0raix ransomware attacks that targeted flaws in the same application starting with June 2020.
In an August report, Qihoo 360’s Network Security Research Lab (360 Netlab) said that hackers were also scanning for vulnerable NAS devices and trying to exploit a remote code execution (RCE) firmware vulnerability addressed by QNAP in July 2017.
Another warning was issued by QNAP two months ago, on October 21st, when it alerted users that some versions of the QTS operating system are affected by the critical Windows ZeroLogon (CVE-2020-1472) vulnerability when the devices were configured as a domain controller.
While NAS devices aren’t commonly used as a Windows domain controllers, some orgs could enable the feature for user account management, authentication, and for enforcing domain security.
Privacy Ninja provides GUARANTEED quality and results for the following services:
DPO-As-A-Service (Outsourced DPO Subscription)PDPA Compliance Training
PDPA Compliance Audit
Digital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy
PDPA Data Protection Software
Vulnerability Assessment & Penetration Testing (VAPT)
Smart Contract Audit