Two security vulnerabilities in the firmware of QNAP’s Network-Attached Storage (NAS) (opens in new tab) devices which were brought to its attention late last year are still yet to be fixed in legacy devices, reports have claimed.
NAS devices by the Taiwanese vendor have proved a popular target for hackers, who actively seek out vulnerabilities to target products that are accessible over the internet.
The tardiness in addressing these critical vulnerabilities is uncharacteristic, as QNAP (opens in new tab) has been quick on its heels to mitigate the recent spate of attacks, from fixing a cross-site scripting vulnerability (opens in new tab), to issuing patches to neutralize malware (opens in new tab) that used the NAS device to mine cryptocurrency (opens in new tab).
- These are the best NAS drives (opens in new tab) on the market
- Here are the best firewall (opens in new tab) apps and services
- Check out our roundup of the best endpoint protection software (opens in new tab)
“We reported both vulnerabilities to QNAP with a 4-month grace period to fix them. Unfortunately, as of the publishing of this article, the vulnerabilities have not yet been fixed,” researchers at home security firm SAM Seamless Network noted.
Critical vulnerabilities
In the post, SAM claims the vulnerabilities are “severe in nature” and were shared with QNAP on October 12, 2020, and on November 29, 2020.
One of them is a Remote Code Execution (RCE) vulnerability that impacts any QNAP device connected to the Internet, while the other is an arbitrary file write vulnerability that exists in the DLNA server on the NAS devices.
In an email to SAM, QNAP has clarified that both issues have already been fixed for newer QNAP models that run the latest version of the firmware.
However QNAP argues that given the nature of the vulnerabilities, they are still working on a fix for legacy devices, which should be available in the next few weeks.
- Protect your devices with these best antivirus software (opens in new tab)