Hundreds of thousands of QNAP devices vulnerable to remote takeover attacks

guest · May 20, 2020

Shielded web security flaws in QNAP storage devices finally released
May 20, 2020
https://portswigger.net/daily-swig/...laws-in-qnap-storage-devices-finally-released

A security researcher has published details of how a series of web security flaws in QNAP network attached storage (NAS) devices leave many systems open to pwnage.

Multiple vulnerabilities in QNAP Photo Station and CGI programs can be chained together to achieve a pre-authentication remote code execution attack, Henry Huang from CyCarrier CSIRT discovered.
Huang discovered and reported four vulnerabilities to QNAP NAS devices last June (CVE-2019–7192, CVE-2019–7193, CVE-2019–7194, and CVE-2019–7195).

The clutch of bugs were fixed last December, but Huang held off on going public with the details in order to give admins a chance to patch systems that would otherwise be wide open to attack.
Click to expand...

All QNAP NAS models are potentially vulnerable, but only in cases where they have the vulnerable Photo Station component enabled.

This means that of around 564,000 QNAP NAS devices exposed to the internet, approximately 450,000 are vulnerable to attack, according to Huang’s estimate, which is based (in part) on searches using Shodan.
A representative of QNAP emphasized that it had patched all the vulnerabilities last November.

“For NAS connected to the Internet, all eligible systems will receive QTS live update notices if their ‘automatically check for updates’ option is enabled,” a QNAP marketing executive explained. “For the Photo Station app, update notices are displayed on the QTS desktop.”
Click to expand...

QNAP Pre-Auth Root RCE Affecting ~312K Devices on the Internet

In 2019, I discovered multiple vulnerabilities in QNAP PhotoStation and CGI programs. These vulnerabilities can be chained into a pre-auth root RCE. All QNAP NAS models are vulnerable, and there are ~312K vulnerable QNAS NAS instances on the Internet (statistical prediction).
Click to expand...

guest · Oct 7, 2020

QNAP fixes critical flaws that could lead to device takeover
October 7, 2020
https://www.bleepingcomputer.com/ne...cal-flaws-that-could-lead-to-device-takeover/

QNAP has addressed two critical security vulnerabilities in the Helpdesk app that could enable potential attackers to take over unpatched QNAP network-attached storage (NAS) devices.

Helpdesk is the built-in app that comes with QNAP's NAS devices and allows admins to submit help requests to the QNAP support team over the Internet.
The app also comes with a remote support feature that allows remotely connecting to the device with the owner's permission.
Click to expand...

NAS takeover risks
The two Helpdesk security issues QNAP fixed are tracked as CVE-2020-2506 and CVE-2020-2507 according to a security advisory published today.
They're both improper access control vulnerabilities that "could allow attackers to obtain control of a QNAP device" if successfully exploited.

QNAP says that it has fixed these security flaws in Helpdesk 3.0.3 and later and that, given the bugs' severity rating, customers should update the app to the latest available version as soon as possible.
Click to expand...

guest · Oct 28, 2020

QNAP warns of new QTS bugs that allow take over of devices
October 28, 2020
https://www.bleepingcomputer.com/ne...new-qts-bugs-that-allow-take-over-of-devices/

QNAP today announced two vulnerabilities affecting QTS, the operating system powering its network-attached storage devices, that could allow running arbitrary commands.

The bugs are remotely exploitable and have been reported in versions of the software released before September 8, 2020.
Latest version is safe
The network-attached storage (NAS) device vendor does not provide too many details about the two issues but says that recent QTS releases include the necessary patches.
According to QNAP’s security advisory, users that have updated the QTS operating system to at least version QTS 4.4.3.1421 build 20200907 have nothing to worry about.
Click to expand...

Currently tracked as CVE-2020-2490 and CVE-2020-2492, the two bugs are classified as command injection vulnerabilities, the company says.

Users can install the latest QTS update manually after downloading it from the QNAP website or by checking for updates and letting the operating system download and apply the new version:

Log on to QTS as administrator

Go to Control Panel > System > Firmware Update

Under Live Update, click Check for Update

Click to expand...

guest · Dec 8, 2020

QNAP Patches QTS Vulnerabilities Allowing NAS Device Takeover
December 8, 2020
https://www.privacy.com.sg/cybersec...vulnerabilities-allowing-nas-device-takeover/

Network-attached storage (NAS) maker QNAP today released security updates to address vulnerabilities that could enable attackers to take control of unpatched NAS devices following successful exploitation.

The eight vulnerabilities patched today by QNAP affect all QNAP NAS devices running vulnerable software.
These command injection and cross-site scripting (XSS) security bugs the company rated as medium and high severity security issues.

The XSS vulnerabilities could allow remote attackers to inject malicious code within vulnerable application versions.
Click to expand...

guest · Dec 23, 2020

QNAP fixes high severity QTS, QES, and QuTS hero vulnerabilities
December 23, 2020
https://www.bleepingcomputer.com/ne...verity-qts-qes-and-quts-hero-vulnerabilities/

QNAP has released security updates to fix multiple high severity security vulnerabilities impacting network-attached storage (NAS) devices running the QES, QTS, and QuTS hero operating systems.

In total, the NAS maker has patched six vulnerabilities affecting earlier versions of its FreeBSD, Linux, and 128-bit ZFS based OSs.
XSS vulnerabilities fixed today could allow remote attackers to inject malicious code in vulnerable app versions following successful exploitation.

Attackers abusing the command injection bugs could also elevate privileges, execute arbitrary commands on the compromised device or app, or even take over the underlying operating system.
Click to expand...

"To secure your device, we strongly recommend updating your system to the latest version to benefit from vulnerability fixes," QNAP said in the advisories.
To see the latest updates available for your NAS devices, you can check the product support status.
Click to expand...

guest · Sep 30, 2021

QNAP fixes bug that let attackers run malicious commands remotely
September 30, 2021
https://www.bleepingcomputer.com/ne...et-attackers-run-malicious-commands-remotely/

Taiwan-based network-attached storage (NAS) maker QNAP has released security patches for multiple vulnerabilities that could allow attackers to inject and execute malicious code and commands remotely on vulnerable NAS devices.

Three of the security flaws fixed today by QNAP are high severity stored cross-site scripting (XSS) vulnerabilities (tracked as CVE-2021-34354, CVE-2021-34356, and CVE-2021-34355) affect devices running unpatched Photo Station software (releases before 5.4.10, 5.7.13, or 6.0.18).
QNAP also patched a stored XSS Image2PDF flaw impacting devices running software versions released before Image2PDF 2.1.5.
Click to expand...

The company also addressed a command injection bug (CVE-2021-34352) affecting some QNAP end-of-life (EOL) devices running the QVR IP video surveillance software that helps attackers run arbitrary commands.

Successful attacks exploiting the CVE-2021-34352 flaw could lead to the complete takeover of compromised NAS devices.
Click to expand...

Log in or Sign up

Hundreds of thousands of QNAP devices vulnerable to remote takeover attacks

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Hundreds of thousands of QNAP devices vulnerable to remote takeover attacks

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches