Hundreds Of Thousands Of QNAP Devices Are Vulnerable To Remote Takeover Attacks
Today, a Taiwanese security researcher published additional information on three vulnerabilities in the firmware of QNAP network-attached storage (NAS) devices.
Henry Huang, the security researcher, reported that the bugs reside in Photo Station, a photo album app that comes preinstalled with all recent versions of QNAP NAS systems.
He mentioned that the Photo Station app is installed on about 80% of all QNAP NAS systems. He believes, to be around 450,000 devices, in a rough estimate based on results generated by the Shodan IoT search engine. The researcher reported all these QNAP systems are vulnerable to remote takeover attacks.
Huang published In a Medium blog post today, in-depth technical details about the vulnerabilities he discovered in the QNAP devices. Three of which impacts the Photo Station app, while the fourth impacts the QTS file manager app.
1) CVE-2019-7192 (CVSS 9.8) (Photo Station bug)
2) CVE-2019-7194 (CVSS 9.8) (Photo Station bug)
3) CVE-2019-7195 (CVSS 9.8) (Photo Station)
4) CVE-2019-7193 (CVSS 9.8) (QTS app bug, unrelated)
The researcher confirmed the three Photo Station bugs can be chained together to bypass authentication (bug #1), insert malicious code in the Photo Station app PHP session (bug #2), and then install a web shell on unpatched QNAP devices (bug #3).
He added, since the Photo Station app runs with root privileges, attackers can exploit the three bugs to take full control over QNAP devices.
Huang said, he discovered the four bugs in the previous year and had reported the issues to QNAP in June itself. QNAP released security updates for both the Photo Station and QTS apps in November 2019, following his report.
Instructions on steps to follow and apply the security updates are available on the QNAP support portal. Updating the QTS app requires a QNAP firmware upgrade. Also, Photo Station app updates are available via the QNAP App Center.
Device owners are advised to disconnect devices from the internet to prevent attacks from botnets or ransomware groups if unable to update with immediate effect.
Since NAS systems are designed for the only purpose of being available over the internet, upgrading your firmware and the Photo App respectively is highly recommended as the most suitable course of action. It results in least disruption to all QNAP users.