QNAP Warns Of New QTS Bugs That Allow Take Over Of Devices
QNAP today announced two vulnerabilities affecting QTS, the operating system powering its network-attached storage devices, that could allow running arbitrary commands.
The bugs are remotely exploitable and have been reported in versions of the software released before September 8, 2020.
Latest version is safe
The network-attached storage (NAS) device vendor does not provide too many details about the two issues but says that recent QTS releases include the necessary patches.
Currently tracked as CVE-2020-2490 and CVE-2020-2492, the two bugs are classified as command injection vulnerabilities, the company says.
It is unclear how an attacker could exploit these vulnerabilities or what components of the OS are vulnerable but running arbitrary commands on a system is typically synonymous with full take over of the device.
The features in the QTS operating system go beyond providing a comfortable environment for sharing files, managing storage, and backup operations. It also allows installing applications from the QNAP App Center that extend the functionality of the NAS device to cover business and home entertainment purposes.
QNAP devices are attractive targets
Small businesses typically use them for backup and file sharing. An exposed system running an outdated operating system could give attackers an opportunity to compromise the storage device with various types of malware.
Back in September, QNAP warned customers about ransomware attacks targeting its NAS products. The threat actor exploited a vulnerability in the Photo Station app that enables users to upload images to the device, create albums, or view them remotely.
More recently, the company fixed issues in the Helpdesk app that could be exploited to get control of a QNAP device.
Another warning came on October 21 when the NAS device vendor alerted customers that some versions of the QTS operating system are impacted by the critical Windows ZeroLogon (CVE-2020-1472) vulnerability.
Users can install the latest QTS update manually after downloading it from the QNAP website or by checking for updates and letting the operating system download and apply the new version:
- Log on to QTS as administrator
- Go to Control Panel > System > Firmware Update
- Under Live Update, click Check for Update
Privacy Ninja provides GUARANTEED quality and results for the following services:
DPO-As-A-Service (Outsourced DPO Subscription)
PDPA Compliance Training
PDPA Compliance Audit
Digital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy
PDPA Data Protection Software
Vulnerability Assessment & Penetration Testing (VAPT)
Smart Contract Audit