This article is more than 1 year old
QNAP caught napping as disclosure delay expires, critical NAS bugs revealed
Remote code execution hole, arbitrary file writing flaw could make a mess of stored files
Updated Some QNAP network attached storage devices are vulnerable to attack because of two critical vulnerabilities, one that enables unauthenticated remote code execution and another that provides the ability to write to arbitrary files.
The vulnerabilities were made known to the Taiwan-based company on October 12, 2020, and on November 29, 2020, by SAM Seamless Network, a connected home security firm. They were found in the QNAP TS-231's latest firmware, version 4.3.6.1446, which SAM claims was released on September 29, 2020, and QNAP's website list as October 7, 2020 – which may represent different build numbers.
"We reported both vulnerabilities to QNAP with a four-month grace period to fix them," said Yaniv Puyeski, an embedded software security researcher at SAM, in a blog post on Wednesday. "Unfortunately, as of the publishing of this article, the vulnerabilities have not yet been fixed."
Data-stealing, password-harvesting, backdoor-opening QNAP NAS malware cruises along at 62,000 infections
READ MOREOn Thursday, however, QNAP released TS-231 firmware version 4.3.6.1620, which addresses a command injection vulnerability (CVE-2020-2509) and a vulnerability in Apache HTTP server (CVE-2020-9490). The release notes also say that support for "Wi-Fi ad-hoc mode" has been removed due to security concerns.
The command injection flaw (CVE-2020-2509) is one of the vulnerabilities SAM reported.
The other, according to ThreatPost, has been designated CVE-2021-36195, which is not cited in QNAP's release notes.
It seems current, non-legacy hardware running firmware prior to QTS 4.5.2.1566 (build 20210202) and QTS 4.5.1.1495 (build 20201123) may also be vulnerable to the remote code execution bug and should be patched with QTS 4.5.2.1566 (ZIP) or QTS 4.5.1.1495 (ZIP), as applicable.
The two vulnerabilities were found in the NAS web server and the DLNA (Digital Living Network Alliance) server, respectively, according to Puyeski, who said SAM has withheld details about the vulnerabilities because there are tens of thousands of QNAP devices exposed to the internet.
The NAS web server bug was identified by fuzzing – injecting data programmatically – various cgi files, based on past observations that QNAP NAS devices have implemented web pages that don't require authentication and execute server-side code. The security firm's researchers found they could trigger remote code execution indirectly, by inducing certain behavior in other processes.
Resolving the NAS bug is a matter of "adding input sanitizations to some core processes and library APIs," said Puyeski.
The issue with the DLNA server, which handles UPNP requests on port 8200 via the process myupnpmediasvr
, is that a remote attacker can use the server to write an arbitrary file.
ThreatPost claims this flaw is addressed in an updated version of QNAP's media server app, Multimedia Console 1.3.4, though the update makes no mention of any security fixes.
QNAP did not immediately respond to a request for comment. SAM also did not respond to our inquiry. ®
Updated to add
"The current situation is that we’ve fixed and released patches for mainstream versions of our NAS operating systems," QNAP belatedly told The Reg.
"But when extending the fix to legacy versions (due to the severity of these vulnerabilities), we’re still working around the clock to get it done. It would take some more time (about a week) before we can properly disclose the information. And also to protect our users from attacks, we’d only disclose the relevant information until we can be sure that the majority of our users are updated to the patched versions."