News

QNAP Patches Firmware Update Injection Flaw

A while ago, F-Secure Corp.’s researchers found a flaw in QNAP’s operating system that could allow a hacker to gain full administrator access to your system, but luckily it has now been patched. That means that you should check you QNAP system if it has the latest firmware installed – but beware how you check it this time.

The investigation by the researchers found that attackers could use vulnerabilities in the device’s firmware update process to seize administrative control. This degree of control would give them the same rights as legitimate administrators, allowing attackers to do things like install malware, access content and data, steal passwords, and even remotely execute commands.

Harry Sintonen, senior consultant, security, F-Secure, developed a proof-of-concept exploit to confirm that these vulnerabilities could be exploited by attackers. “Many of these types of vulnerabilities are not severe on their own. But attackers able to put them together can cause a massive compromise,” said Sintonen. “Successful hackers understand that even small security oversights can become big opportunities with the right know-how.”

Sintonen’s proof-of-concept begins when the device sends unencrypted requests for firmware updates back to the company. This lack of encryption allows potential attackers to intercept and modify the response to that request. While it sounds simple, it isn’t and it requires quite a few skills to perform, and that’s the silver lining in the original story.

“In this case, attackers first need to put themselves between the update server and user, and this extra step is enough work to discourage many opportunistic or low-skilled attackers,” said Kauhanen.

Now that we got the background information, back to the story at hand. Since the possible exploitation occurs through the automated update process, you should update your QNAP NAS/NVR manually to QTS 4.2.3 build 20170121 or 20170124. Which version depends on your NAS device and the latter build is for the TS-809 and TS-809U models while the first mentioned build is for the rest. The manual firmware update is relatively simple and done in five simple steps.

  1. Download the package from the QNAP download page
  2. Log on as administrator to the QTS web console.
  3. Go to ‘Control Panel’ > ‘System’ > ‘Firmware Update’ > ‘Firmware Update’.
  4. Click ‘Browse’ and then locate the package on your computer.
  5. Click ‘Update System’.

It’s nice to see companies acting quickly on such issues and releasing the appropriate patches.

Bohs Hansen

Disqus Comments Loading...

Recent Posts

LG 27″ 27GS60QC-B 2560×1440 VA 180Hz 1ms A-Sync HDR10 Curved Widescreen Gaming Monitor

Natural curve, 1000R is just the beginning. It's a gaming revolution with satisfying 180Hz speed,…

6 hours ago

ASUS ROG Azoth 75 RGB Wireless Gaming Keyboard White Frame

ROG Azoth gaming keyboard with 75 keyboard form factor, gasket mount, three-layer dampening foam and…

6 hours ago

AOC 27″ Q27G4X 2560×1440 IPS 180Hz 1ms FreeSync Gaming Monitor

Introducing the Q27G4X, a fusion of gaming excellence and cutting-edge technology. Dive into yourself in…

6 hours ago

Kingston Fury Beast 16GB (2x8GB) DDR4 PC4-28800C17 3600MHz Dual Channel Kit

ColourPrimary ColourBlackSecondary ColourGreySetSetYesNumber of products in set2LightingLighting / RGBNoCooler SpecificationsHeatsink includedYesMemoryMemory size (total)16 GBMemory TypeDDR4Memory…

6 hours ago

Kolink Rocket Heavy Vented Edition Aluminium Mini-ITX Case

New and improved Kolink Rocket Heavy with additional venting Mini-ITX case manufactured from premium materials…

6 hours ago

ASRock Confirms Full Support for Ryzen 9 9950X3D and Ryzen 9 9900X3D CPUs

ASRock has officially announced that its AM5 motherboards will fully support the new AMD Ryzen…

7 hours ago