Logo

Hundreds Of Thousands Of QNAP Devices Are Vulnerable To Remote Takeover Attacks

Back to All Blogs
Author avatar

Admin  |  2020-05-20

QNAP Vulnerability Exposes Over 450,000 Devices to Takeover

A Taiwanese security researcher has published additional information on critical vulnerabilities in the firmware of QNAP network-attached storage (NAS) devices.

Henry Huang, the researcher, reported that the bugs reside in Photo Station, a photo album app that comes preinstalled with most QNAP NAS systems.

According to Huang, the Photo Station app is installed on about 80% of all QNAP systems. He estimates this affects around 450,000 devices, based on data from the Shodan IoT search engine. All of these systems are potentially vulnerable to remote takeover attacks.

In a Medium blog post, Huang published in-depth technical details about four vulnerabilities he discovered. Three impact the Photo Station app, while the fourth impacts the QTS file manager app.

Vulnerabilities Summary:

  1. CVE-2019-7192 (CVSS 9.8) - Photo Station Authentication Bypass
  2. CVE-2019-7194 (CVSS 9.8) - Photo Station Code Injection
  3. CVE-2019-7195 (CVSS 9.8) - Photo Station Shell Installation
  4. CVE-2019-7193 (CVSS 9.8) - QTS App Bug (Unrelated Chain)

The researcher confirmed the three Photo Station bugs can be chained together. An attacker can first bypass authentication, then inject malicious code into the app's PHP session, and finally install a web shell on the unpatched QNAP device.

Since the Photo Station app runs with root privileges, a successful exploit grants an attacker full control over the device.

Resolution and Recommendations

Huang discovered the bugs last year and reported them to QNAP in June. QNAP released security updates for both the Photo Station and QTS apps in November 2019.

Instructions to apply the security updates are available on the QNAP support portal. Updating the Photo Station app is done via the App Center, while the QTS fix requires a full firmware upgrade.

Device owners who cannot update immediately are advised to disconnect their devices from the internet to prevent attacks from botnets or ransomware groups. However, since NAS systems are designed for remote access, upgrading is the most suitable course of action.