Skip to main content

QNAP fixes even more serious security flaws on its NAS devices

qnap
(Image credit: QNAP)
Audio player loading…

QNAP has released a series of new patches which fix multiple high severity vulnerabilities that impact its NAS devices (opens in new tab) running the QES, QTS and QuTS hero operating systems.

In total, this latest round of security updates patch six vulnerabilities that affect older versions of the NAS maker's FreeBSD, Linux and 128-bit ZFS based operating systems.

TIM Security Red Team Research, Lodestone Security and the CFF of Topsec Alpha Team discovered and reported these security bugs to QNAP (opens in new tab) which if left unpatched, could be used to carry out command injection or cross-site scripting (XSS (opens in new tab)) on the company's NAS devices.

While the XSS vulnerabilities could allow a remote attacker to inject malicious code into vulnerable versions of QNAP's apps, the command injection bugs could be used to elevate privileges, execute arbitrary commands or even take over a device's underlying operating system.

NAS vulnerabilities

Although QNAP has issued patches for six different vulnerabilities in its software, all of these issues have already been fixed in QES 2.1.1 Build 20201006 and later, QTS 4.5.1.1495 build 20201123 and later and QuTS hero h4.5.1.1491 build 20201119 and later.

This means that updating the software on your NAS device is the easiest and fastest way to address all six vulnerabilities. To do so, you'll need to log on to QES, QTS or QuTS hero as an administrator and go to Control Panel > System > Firmware Update. Under the Live Update section, you'll need to click on Check for Update to have QES, QTS or QuTS Hero download and install the latest available update.

Additionally, the update can also be downloaded and installed manually by visiting the Support Download Center (opens in new tab) on QNAP's website.

As NAS devices are often used to backup sensitive files and data, keeping them updated is of the utmost importance to prevent hackers from exploiting any known vulnerabilities.

Via BleepingComputer (opens in new tab)

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.