Hundreds Of Thousands Of QNAP Devices Are Vulnerable To Remote Takeover Attacks

20 May

Hundreds Of Thousands Of QNAP Devices Are Vulnerable To Remote Takeover Attacks

Today, a Taiwanese security researcher published additional information on three vulnerabilities in the firmware of QNAP network-attached storage (NAS) devices.

Henry Huang, the security researcher, reported that the bugs reside in Photo Station, a photo album app that comes preinstalled with all recent versions of QNAP NAS systems.

He mentioned that the Photo Station app is installed on about 80% of all QNAP NAS systems. He believes, to be around 450,000 devices, in a rough estimate based on results generated by the Shodan IoT search engine. The researcher reported all these QNAP systems are vulnerable to remote takeover attacks.

Huang published In a Medium blog post today, in-depth technical details about the vulnerabilities he discovered in the QNAP devices. Three of which impacts the Photo Station app, while the fourth impacts the QTS file manager app.

As follows:

1) CVE-2019-7192 (CVSS 9.8) (Photo Station bug)
2) CVE-2019-7194 (CVSS 9.8) (Photo Station bug)
3) CVE-2019-7195 (CVSS 9.8) (Photo Station)
4) CVE-2019-7193 (CVSS 9.8) (QTS app bug, unrelated)

The researcher confirmed the three Photo Station bugs can be chained together to bypass authentication (bug #1), insert malicious code in the Photo Station app PHP session (bug #2), and then install a web shell on unpatched QNAP devices (bug #3).

He added, since the Photo Station app runs with root privileges, attackers can exploit the three bugs to take full control over QNAP devices.

Huang said, he discovered the four bugs in the previous year and had reported the issues to QNAP in June itself. QNAP released security updates for both the Photo Station and QTS apps in November 2019, following his report.

Instructions on steps to follow and apply the security updates are available on the QNAP support portal. Updating the QTS app requires a QNAP firmware upgrade. Also, Photo Station app updates are available via the QNAP App Center.

Device owners are advised to disconnect devices from the internet to prevent attacks from botnets or ransomware groups if unable to update with immediate effect.

Since NAS systems are designed for the only purpose of being available over the internet, upgrading your firmware and the Photo App respectively is highly recommended as the most suitable course of action. It results in least disruption to all QNAP users.

Source: zdnet.com

Tags:

App centre,bugs,firmware,malicious,NAS,Photo Station App,QNAP,securityupdates,unpatched,upgrade,webshell

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Hundreds Of Thousands Of QNAP Devices Are Vulnerable To Remote Takeover Attacks