Skip to main content

Yet more critical NAS security bugs have been uncovered

security threat
(Image credit: Shutterstock.com)
Audio player loading…

Two security vulnerabilities in the firmware of QNAP’s Network-Attached Storage (NAS) (opens in new tab) devices which were brought to its attention late last year are still yet to be fixed in legacy devices, reports have claimed.

NAS devices by the Taiwanese vendor have proved a popular target for hackers, who actively seek out vulnerabilities to target products that are accessible over the internet.

The tardiness in addressing these critical vulnerabilities is uncharacteristic, as QNAP (opens in new tab) has been quick on its heels to mitigate the recent spate of attacks, from fixing a cross-site scripting vulnerability (opens in new tab), to issuing patches to neutralize malware (opens in new tab) that used the NAS device to mine cryptocurrency (opens in new tab).

TechRadar needs yo...

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window (opens in new tab)<<

“We reported both vulnerabilities to QNAP with a 4-month grace period to fix them. Unfortunately, as of the publishing of this article, the vulnerabilities have not yet been fixed,” researchers at home security firm SAM Seamless Network noted.

Critical vulnerabilities

In the post, SAM claims the vulnerabilities are “severe in nature” and were shared with QNAP on October 12, 2020, and on November 29, 2020. 

One of them is a Remote Code Execution (RCE) vulnerability that impacts any QNAP device connected to the Internet, while the other is an arbitrary file write vulnerability that exists in the DLNA server on the NAS devices. 

In an email to SAM, QNAP has clarified that both issues have already been fixed for newer QNAP models that run the latest version of the firmware. 

However QNAP argues that given the nature of the vulnerabilities, they are still working on a fix for legacy devices, which should be available in the next few weeks.

Via: The Register (opens in new tab)

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.