QNAP Warns Of New QTS Bugs That Allow Take Over Of Devices

QNAP today announced two vulnerabilities affecting QTS, the operating system powering its network-attached storage devices, that could allow running arbitrary commands.

The bugs are remotely exploitable and have been reported in versions of the software released before September 8, 2020.

Latest version is safe

The network-attached storage (NAS) device vendor does not provide too many details about the two issues but says that recent QTS releases include the necessary patches.

According to QNAP’s security advisory, users that have updated the QTS operating system to at least version QTS build 20200907 have nothing to worry about.

Currently tracked as CVE-2020-2490 and CVE-2020-2492, the two bugs are classified as command injection vulnerabilities, the company says.

Also Read: 15 Best Tools For Your Windows 10 Privacy Settings Setup

It is unclear how an attacker could exploit these vulnerabilities or what components of the OS are vulnerable but running arbitrary commands on a system is typically synonymous with full take over of the device.

The features in the QTS operating system go beyond providing a comfortable environment for sharing files, managing storage, and backup operations. It also allows installing applications from the QNAP App Center that extend the functionality of the NAS device to cover business and home entertainment purposes.

QNAP devices are attractive targets

Small businesses typically use them for backup and file sharing. An exposed system running an outdated operating system could give attackers an opportunity to compromise the storage device with various types of malware.

Back in September, QNAP warned customers about ransomware attacks targeting its NAS products. The threat actor exploited a vulnerability in the Photo Station app that enables users to upload images to the device, create albums, or view them remotely.

More recently, the company fixed issues in the Helpdesk app that could be exploited to get control of a QNAP device.

Another warning came on October 21 when the NAS device vendor alerted customers that some versions of the QTS operating system are impacted by the critical Windows ZeroLogon (CVE-2020-1472) vulnerability.

Also Read: How To Secure Your WiFi Camera? 4 Points To Consider

Users can install the latest QTS update manually after downloading it from the QNAP website or by checking for updates and letting the operating system download and apply the new version:

  1. Log on to QTS as administrator
  2. Go to Control Panel > System > Firmware Update
  3. Under Live Update, click Check for Update

Privacy Ninja provides GUARANTEED quality and results for the following services: 
DPO-As-A-Service (Outsourced DPO Subscription)
PDPA Compliance Training
DPA Compliance Audit
ital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy

PDPA Data Protection Software
Vulnerability Assessment & Penetration Testing (VAPT)
Smart Contract Audit

Like & Subscribe:


Leave a Reply

Your email address will not be published. Required fields are marked *