’Critical’ Weaknesses Threaten QNAP Access Storage; Unauthenticated Command Execution Possible
Certain versions of the QTS operating system powering network storage (NAS) devices from QNAP allow complete access to the device to authenticated users with limited privileges. The vulnerabilities can also be exploited remotely by an unauthenticated attacker, who could operate with full administrative rights.
Three of the weaknesses affecting QTS releases lower than 4.2.4 Build 20170313 allow the insertion of arbitrary commands when certain scripts are called. These have been labeled of “critical” severity, and can be exploited without authentication if the devices face the Internet directly, a scenario not unusual for home users or even small offices. Even worse, the process of taking control of the devices exposed on the web can be automated, says Harry Sintonen, the security researcher who reported these bugs to QNAP.
Exploited by authenticated users with restricted data access and operation privileges on the NAS, the vulnerabilities grant unfettered access and full control. In either case, an offender “is able to execute arbitrary commands as administrative user (root). The attacker has full access to all content on the targeted device, and can read, modify or remove content at will,” the researcher says.
The latest update to QTS was prompted by about 20 weaknesses reported by multiple security researchers. The new firmware version was released in March and the company labeled it “critical” in a security advisory, making clear the severity of the bugs it addressed.
Unless the automatic check for firmware updates is not enabled, users are advised to apply the latest update either through the Live Update function in the administrative web interface, or manually by downloading the new QTS version from QNAP’s support page.
Public vulnerability disclosure, complete with a full exploitation description, is usually delayed until some time has passed from the release of the patch to allow the update to reach more devices. However, this precaution is inefficient when the automatic updates option is not available, and many devices remain vulnerable for much longer.
Photo credit: QNAPcommand injection NAS network access storage QNAP vulnerability