Security updates were released by QNAP to fix multiple high severity security vulnerabilities that were impacting network-attached storage (NAS) devices operating the QES, QTS, and QuTS hero operating systems.
The NAS maker has patched a total of six vulnerabilities, affecting earlier versions of its FreeBSD, Linux, and 128-bit ZFS based OSs.
A team of researchers had reported the command injection, cross-site scripting (XSS), and hard-coded password security bugs. Particularly, the XSS vulnerabilities that were fixed, allowed remote attackers to inject malicious code in vulnerable app versions following successful exploitation.
The command injection bugs that were abused by attackers could also elevate privileges, execute arbitrary commands on the compromised device or app, or even take over the underlying operating system.
Below is the list of vulnerabilities that were patched by QNAP –
- CVE-2020-25847: Command injection (QTS and QuTS hero) vulnerability — arbitrary commands can be executed by attackers in compromised apps.
- CVE-2020-2499: Hard-coded password QES vulnerability —login can be achieved with a hard-coded password.
- CVE-2016-6903: Command injection QES vulnerability — arbitrary commands can be executed in Ishell by remote attackers.
- CVE-2020-2505: QES vulnerability — sensitive information can be acquired by attackers via the generation of error messages.
- CVE-2020-2504: Absolute path traversal QES vulnerability — traversing of files in File Station can be achieved by the attacker.
- CVE-2020-2503: Stored cross-site scripting QES vulnerability —malicious code can be injected in File Station by remote attackers.
The manufacturers claimed to have already fixed security issues in the QES 2.1.1 Build 20201006 and later, QTS 4.5.1.1495 build 20201123 (and later), and QuTS hero h4.5.1.1491 build 20201119 (and later). They also recommend updating the system to the latest version to benefit from vulnerability fixes.
The availability of updates on the NAS devices can be checked through the product support status.
Follow the below-mentioned procedure to deploy the recently released security updates by QNAP on any given NAS device–
- Log on to QES, QTS, or QuTS hero as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update. QES, QTS, or QuTS hero downloads and installs the latest available update.
The update can also be downloaded and installed manually from the Support Download Center on QNAP’s website.
Security issues affecting the vulnerable versions of QTS running on the NAS devices that could potentially lead to the device being taken over after successful exploitation were fixed by the manufacturers earlier last month.
Attackers attempting to steal sensitive documents or deploy malware payloads given that they are commonly used for backup and file sharing are frequently targeting the NAS devices.
In October last year, QNAP warned their customers that versions of the QTS OS are affected by the critical Windows ZeroLogon vulnerability if the NAS devices were configured as domain controllers.
In September, they alerted their customers of an ongoing AgeLocker ransomware attack that targeted publicly exposed NAS devices by exploiting older Photo Station versions.
In August, researchers revealed that attackers were also scanning for vulnerable NAS devices trying to exploit a remote code execution (RCE) firmware vulnerability fixed more than three years ago, in July 2017.
To read more, please check eScan Blog
