QNAP Patches QTS Vulnerabilities Allowing NAS Device Takeover
Network-attached storage (NAS) maker QNAP today released security updates to address vulnerabilities that could enable attackers to take control of unpatched NAS devices following successful exploitation.
The eight vulnerabilities patched today by QNAP affect all QNAP NAS devices running vulnerable software.
The XSS vulnerabilities could allow remote attackers to inject malicious code within vulnerable application versions.
Leveraging command injection bugs enable them to elevate privileges, execute arbitrary commands on the compromised device or app, and take over the underlying operating system.
OS command injection and cross-site scripting
The list of software some of today’s security updates apply to includes the QNAP QuTS hero high-performance ZFS-based operating system and the QTS NAS OS.
QNAP has addressed the CVE-2020-2495, CVE-2020-2496, CVE-2020-2497, and CVE-2020-2498 XSS bugs, as well as the CVE-2019-7198 command injection bug in these versions of QTS and QuTS hero:• QuTS hero h22.214.171.1242 build 20201031 and later
• QTS 126.96.36.1996 build 20201015 and later
• QTS 188.8.131.524 build 20200702 and later
• QTS 184.108.40.2063 build 20200608 and later
• QTS 220.127.116.118 build 20200703 and later
• QTS 18.104.22.1685 build 20200611 and later
• QTS 4.2.6 build 20200611 and later
The NAS maker urges customers to update their systems to the latest version to prevent future attacks from impacting their devices.
To deploy QTS and QuTS hero security updates on your NAS device follow this procedure:
- Log on to QTS or QuTS hero as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update. QTS or QuTS hero downloads and installs the latest available update.
QNAP also fixed XSS bugs affecting Music Station (CVE-2020-2494), Multimedia Console (CVE-2020-2493), and Photo Station (CVE-2020-2491).
The full procedure you need to follow to update the apps to their latest versions on your NAS includes these steps:
- Log on to QTS as administrator.
- Open the App Center, then click , and type the name of the app in the search box that appears.
- Click Update. A confirmation message appears. Note: The Update button is not available if you are using the latest version.
- Click OK. The application is updated.
QNAP NAS devices are tempting targets
Given that NAS devices are commonly used for backup and file sharing, they are also regularly targeted by attackers who attempt to steal sensitive documents or deploy malware payloads.
QNAP warned customers in September of ongoing attacks targeting publicly exposed NAS devices with AgeLocker ransomware by exploiting older and vulnerable versions of Photo Station.
The company also warned of eCh0raix ransomware attacks that targeted flaws in the same application starting with June 2020.
In an August report, Qihoo 360’s Network Security Research Lab (360 Netlab) said that hackers were also scanning for vulnerable NAS devices and trying to exploit a remote code execution (RCE) firmware vulnerability addressed by QNAP in July 2017.
Another warning was issued by QNAP two months ago, on October 21st, when it alerted users that some versions of the QTS operating system are affected by the critical Windows ZeroLogon (CVE-2020-1472) vulnerability when the devices were configured as a domain controller.
While NAS devices aren’t commonly used as a Windows domain controllers, some orgs could enable the feature for user account management, authentication, and for enforcing domain security.
Outsourced Data Protection Officer – It is mandatory to appoint a Data Protection Officer. We help our clients quickly comply with their PDPA & data protection requirements.
Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.
Smart Contract Audit – Leverage our industry-leading suite of blockchain security analysis tools, combined with hands-on review from our veteran smart contract auditors.