QNAP High-Severity Flaws Plague NAS Systems

QNAP Systems is warning of high-severity flaws that plague its top-selling network attached storage (NAS) devices. If exploited, the most severe of the flaws could allow attackers to remotely take over NAS devices.

NAS devices are systems that consist of one or more hard drives that are constantly connected to the internet – acting as a backup “hub” or storage unit that stores all important files and media such as photos, videos and music. Overall, QNAP on Monday issued patches for cross-site scripting (XSS) flaws tied to six CVEs.

Four of these vulnerabilities stem from an XSS issue that affects earlier versions of QTS and QuTS hero. QTS is the operating system for NAS systems, while the QuTS Hero is an operating system that combines the app-based QTS with a 128-bit ZFS file system to provide more storage management.

Two of these XSS flaws (CVE-2020-2495 and CVE-2020-2496) could allow remote attackers to inject malicious code into File Station. File Station is a built-in QTS app that allows users to manage files stored on their QNAP NAS systems.

Another flaw (CVE-2020-2497) can enable remote attackers to inject malicious code in System Connection Logs; while the fourth flaw (CVE-2020-2498) allows attackers to remotely inject malicious code into the certificate configuration.

QNAP said “we strongly recommend updating your system to the latest version” of QTS and QuTS hero: QuTS hero h4.5.1.1472 build 20201031 and later, QTS 4.5.1.1456 build 20201015 and later, QTS 4.4.3.1354 build 20200702 and later, QTS 4.3.6.1333 build 20200608 and later, QTS 4.3.4.1368 build 20200703 and later, QTS 4.3.3.1315 build 20200611 and later; and QTS 4.2.6 build 20200611 and later.

Users can do so by logging onto the QTS or QuTS hero as an administrator, going to Control Panel > System > Firmware Update and clicking Check for Updating under “Live Update.”

Another high-severity XSS vulnerability (CVE-2020-2491) exists in the Photo Station feature of QNAP NAS systems, which enables remote photo management. The flaw allows attackers to remotely inject malicious code.

According to QNAP, it has been fixed in the following versions of the QTS operating system: QTS 4.5.1 (Photo Station 6.0.12 and later); QTS 4.4.3 (Photo Station 6.0.12 and later); QTS 4.3.6 (Photo Station 5.7.12 and later); QTS 4.3.4 (Photo Station 5.7.13 and later); QTS 4.3.3 (Photo Station 5.4.10 and later) and QTS 4.2.6 (Photo Station 5.2.11 and later).

The final XSS flaw (CVE-2020-2493) exists in the Multimedia Console of QNAP NAS systems, and allows remote attackers to inject malicious code. The Multimedia Console feature enables indexing, transcoding, thumbnail generation and content management so users can manage multimedia apps and services more efficiently.

“We have already fixed this vulnerability in Multimedia Console 1.1.5 and later,” said QNAP in its advisory.

QNAP Systems hardware are no strangers to being attack targets. Last year, attackers crafted malware specifically designed to target NAS devices. Also in July 2019, researchers highlighted an unusual Linux ransomware, called QNAPCrypt, which targeted QNAP NAS servers. Researchers have also previously found multiple bugs in QNAP’s Q’Center Web Console; while in 2014, a worm exploiting the Bash vulnerability in QNAP network attached storage devices was also discovered.

_Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a _FREE Threatpost webinar_ on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. _

_Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _Register here_ for the Wed., Dec. 16 for this LIVE webinar._