News

QNAP Patches Firmware Update Injection Flaw

A while ago, F-Secure Corp.’s researchers found a flaw in QNAP’s operating system that could allow a hacker to gain full administrator access to your system, but luckily it has now been patched. That means that you should check you QNAP system if it has the latest firmware installed – but beware how you check it this time.

The investigation by the researchers found that attackers could use vulnerabilities in the device’s firmware update process to seize administrative control. This degree of control would give them the same rights as legitimate administrators, allowing attackers to do things like install malware, access content and data, steal passwords, and even remotely execute commands.

Harry Sintonen, senior consultant, security, F-Secure, developed a proof-of-concept exploit to confirm that these vulnerabilities could be exploited by attackers. “Many of these types of vulnerabilities are not severe on their own. But attackers able to put them together can cause a massive compromise,” said Sintonen. “Successful hackers understand that even small security oversights can become big opportunities with the right know-how.”

Sintonen’s proof-of-concept begins when the device sends unencrypted requests for firmware updates back to the company. This lack of encryption allows potential attackers to intercept and modify the response to that request. While it sounds simple, it isn’t and it requires quite a few skills to perform, and that’s the silver lining in the original story.

“In this case, attackers first need to put themselves between the update server and user, and this extra step is enough work to discourage many opportunistic or low-skilled attackers,” said Kauhanen.

Now that we got the background information, back to the story at hand. Since the possible exploitation occurs through the automated update process, you should update your QNAP NAS/NVR manually to QTS 4.2.3 build 20170121 or 20170124. Which version depends on your NAS device and the latter build is for the TS-809 and TS-809U models while the first mentioned build is for the rest. The manual firmware update is relatively simple and done in five simple steps.

  1. Download the package from the QNAP download page
  2. Log on as administrator to the QTS web console.
  3. Go to ‘Control Panel’ > ‘System’ > ‘Firmware Update’ > ‘Firmware Update’.
  4. Click ‘Browse’ and then locate the package on your computer.
  5. Click ‘Update System’.

It’s nice to see companies acting quickly on such issues and releasing the appropriate patches.

Bohs Hansen

Disqus Comments Loading...

Recent Posts

ROLL20 Lets You Run D&D and TTRPG Games Directly in Discord

If you play DnD and if you play DnD online there is a very high…

3 hours ago

Dragon’s Dogma 2 New Patch is Now Available For Download

The new patch for Dragons Dogma 2 is here and it has fixed many of…

5 hours ago

MSI Crosshair 15 15″ QHD 165Hz i7 RTX 3060 Gaming Laptop

With unprecedented new performance hybrid architecture, 12th Generation Intel® Core™ processors offer a unique combination…

6 hours ago

NZXT N7 AMD Ryzen B650E Black Cover ATX Motherboard

Leveraging more than 14 years of professional PC building know how, NZXT has provided the…

6 hours ago

Mountain Everest Max Black RGB Gaming Keyboard Cherry MX Red Switches Customizable

Everest Max is the last word in mechanical keyboards with modularity and customization unlike any…

6 hours ago

Logitech G502 X Plus Wireless/Wired RGB Gaming Mouse

G502 X PLUS is the latest addition to legendary G502 lineage. Reinvented with our first-ever…

6 hours ago