QNAP Patches QTS Vulnerabilities Allowing NAS Device Takeover

Network-attached storage (NAS) maker QNAP today released security updates to address vulnerabilities that could enable attackers to take control of unpatched NAS devices following successful exploitation.

The eight vulnerabilities patched today by QNAP affect all QNAP NAS devices running vulnerable software.

These command injection and cross-site scripting (XSS) security bugs the company rated as medium and high severity security issues.

The XSS vulnerabilities could allow remote attackers to inject malicious code within vulnerable application versions.

Leveraging command injection bugs enable them to elevate privileges, execute arbitrary commands on the compromised device or app, and take over the underlying operating system.

OS command injection and cross-site scripting

The list of software some of today’s security updates apply to includes the QNAP QuTS hero high-performance ZFS-based operating system and the QTS NAS OS.

Also Read: How Formidable is Singapore Cybersecurity Masterplan 2020?

QNAP has addressed the CVE-2020-2495, CVE-2020-2496, CVE-2020-2497, and CVE-2020-2498 XSS bugs, as well as the CVE-2019-7198 command injection bug in these versions of QTS and QuTS hero:• QuTS hero h4.5.1.1472 build 20201031 and later
• QTS 4.5.1.1456 build 20201015 and later
• QTS 4.4.3.1354 build 20200702 and later
• QTS 4.3.6.1333 build 20200608 and later
• QTS 4.3.4.1368 build 20200703 and later
• QTS 4.3.3.1315 build 20200611 and later
• QTS 4.2.6 build 20200611 and later

The NAS maker urges customers to update their systems to the latest version to prevent future attacks from impacting their devices.

To deploy QTS and QuTS hero security updates on your NAS device follow this procedure:

1. Log on to QTS or QuTS hero as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update. QTS or QuTS hero downloads and installs the latest available update.

QNAP also fixed XSS bugs affecting Music Station (CVE-2020-2494), Multimedia Console (CVE-2020-2493), and Photo Station (CVE-2020-2491).

The full procedure you need to follow to update the apps to their latest versions on your NAS includes these steps:

1. Log on to QTS as administrator.
2. Open the App Center, then click , and type the name of the app in the search box that appears.
3. Click Update. A confirmation message appears. Note: The Update button is not available if you are using the latest version.
4. Click OK. The application is updated.

QNAP NAS devices are tempting targets

Given that NAS devices are commonly used for backup and file sharing, they are also regularly targeted by attackers who attempt to steal sensitive documents or deploy malware payloads.

QNAP warned customers in September of ongoing attacks targeting publicly exposed NAS devices with AgeLocker ransomware by exploiting older and vulnerable versions of Photo Station.

The company also warned of eCh0raix ransomware attacks that targeted flaws in the same application starting with June 2020.

In an August report, Qihoo 360’s Network Security Research Lab (360 Netlab) said that hackers were also scanning for vulnerable NAS devices and trying to exploit a remote code execution (RCE) firmware vulnerability addressed by QNAP in July 2017.

Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?

Another warning was issued by QNAP two months ago, on October 21st, when it alerted users that some versions of the QTS operating system are affected by the critical Windows ZeroLogon (CVE-2020-1472) vulnerability when the devices were configured as a domain controller.

While NAS devices aren’t commonly used as a Windows domain controllers, some orgs could enable the feature for user account management, authentication, and for enforcing domain security.