Serious vulnerabilities in QNAP NAS drives

In January 2017, F-Secure presented the results of research on the numerous vulnerabilities discovered in NAS NASNs from QNAP. Since then, new, much more serious problems related to the vulnerability in the network device's software have been identified.

Previously discovered vulnerabilities expose NAS owners to attack at the time of software upgrade. The hacker would then have to send an exploit to the device impersonating the new firmware version. It was difficult enough to discourage cybercriminals from carrying out large-scale attacks, " says Harry Sintonen, senior consultant at F-Secure.

Unfortunately, newly discovered gaps allow remote control of the device through so-called "command injection". The attacker can then send commands to be performed by the NAS device - adds Sintonen .

The vulnerabilities in the software allow access to any data that is stored in memory, blocking users (including the owner), using the device for further attacks, and performing other operations.

The vulnerable NAS drives give attackers the opportunity to demonstrate much more creativity

Memory devices of this type can act as a network server - says Janne Kauhanen, an cyber security expert from F-Secure .

The cybercriminal can save any data in the device and run any type of service, from an online store selling suspicious goods to an attacking platform that allows further attacks. Responsibility for the attack can then be assigned to the owner of the device. The hacker can also put compromising materials on the NAS and use them to blackmail the user.

Tests were carried out on the NAS QNAP TVS-663 disk. Vulnerabilities affect software that also works on routers, cameras and other inexpensive devices that connect to the Internet - in this case it is the QTS 4.2.3 version. Harry Sintonen has found nearly 90,000 devices that he believes may be vulnerable. However, it limited search to those that were available on the network, so the number may be higher.

Mikael Albrecht, researcher at F-Secure and owner of QNAP equipment, believes that unsecured NAS servers are a much bigger problem than other devices connecting to the internet.

I'm used to security problems with IoT gadgets, but unsecured NAS is a more serious matter. The device contains most of the digital content that I have produced throughout my entire life. Fortunately, QNAP has a good procedure for distributing updates and does it quite often - says Mikael Albrecht.

QNAP has already repaired the vulnerability and released an updated version of the vulnerable software. According to the report of Harry Sintonen, the manufacturer solved the problem quite quickly and reacted much better than other equipment suppliers who were accused of problems with the safety of their products.

If you have a NAS device from QNAP, an upgrade to the latest version of the software is recommended.


Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.