QNAP Fixes Critical Flaws That Could Lead To Device Takeover

QNAP has addressed two critical security vulnerabilities in the Helpdesk app that could enable potential attackers to take over unpatched QNAP network-attached storage (NAS) devices.

Helpdesk is the built-in app that comes with QNAP’s NAS devices and allows admins to submit help requests to the QNAP support team over the Internet.

The app also comes with a remote support feature that allows remotely connecting to the device with the owner’s permission.

NAS takeover risks

The two Helpdesk security issues QNAP fixed are tracked as CVE-2020-2506 and CVE-2020-2507 according to a security advisory published today.

They’re both improper access control vulnerabilities that “could allow attackers to obtain control of a QNAP device” if successfully exploited.

QNAP says that it has fixed these security flaws in Helpdesk 3.0.3 and later and that, given the bugs’ severity rating, customers should update the app to the latest available version as soon as possible.

To do that, QNAP customers have to log on to their NAS devices as admin and use the App Center to look for Helpdesk updates.

Also Read: Computer Misuse Act Singapore: The Truth And Its Offenses

The full procedure you need to follow to update Helpdesk on your NAS includes the following steps:

1. Log on to QTS as administrator.
2. Open the App Center, and then click . A search box appears.
3. Type “Helpdesk”, and then press ENTER. The Helpdesk application appears in the search results.
4. Click Update. A confirmation message appears. Note: The Update button is not available if you are using the latest version.
5. Click OK. The application is updated.

Attacks targeting QNAP NAS devices

QNAP recently issued another security advisory warning of recent surge in ransomware attacks encrypting files on publicly exposed NAS storage devices.

AgeLocker ransomware, the strain behind these attacks as BleepingComputer reported, is targeting older unpatched versions of Photo Station, an app that allows users to upload photos to their NAS, create albums, and view them remotely.

QNAP previously warned of eCh0raix ransomware attacks that targeted flaws in the Photo Station app starting with June 2020.

In an August report, Qihoo 360’s Network Security Research Lab (360 Netlab) said that hackers are also scanning for vulnerable NAS devices trying to exploit a remote code execution (RCE) vulnerability addressed by QNAP in July 2017.

To avoid having your NAS device compromised, QNAP advises updating all apps on your QNAP devices and installing the latest QTS update, as well as not exposing the QTS Administration page or the QTS apps to the Internet.

Also Read: PDPA For Companies: Compliance Guide For Singapore Business