Security News > 2021 > February > QNAP patches critical vulnerability in Surveillance Station NAS app
QNAP has addressed a critical security vulnerability in the Surveillance Station app that allows attackers to execute malicious code remotely on network-attached storage devices running the vulnerable software.
Surveillance Station is QNAP's network surveillance Video Management System, a software solution that can help users manage and monitor up to 12 IP cameras.
The critical security flaw patched today by QNAP is a stack-based buffer overflow vulnerability impacting QNAP NAS devices running Surveillance Station.
Surveillance Station 5.1.5.4.3 for ARM CPU NAS and x86 CPU NAS. Surveillance Station 5.1.5.3.3 for ARM CPU NAS and x86 CPU NAS. The company has also patched a medium severity cross-site scripting vulnerability affecting earlier versions of the Photo Station app used to upload images to QNAP NAS device, create albums, or view them remotely.
QNAP alerted customers in September 2020 of an AgeLocker ransomware campaign targeting Internet exposed NAS devices in attacks exploiting older and vulnerable Photo Station versions.
Qihoo 360's 360 Netlab also said in August that attackers were scanning for vulnerable NAS devices trying to exploit a remote code execution firmware vulnerability fixed over three years ago, in July 2017.
News URL
Related news
- QNAP addresses critical flaws across NAS, router software (source)
- QNAP fixes NAS backup software zero-day exploited at Pwn2Own (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- D-Link won’t fix critical flaw affecting 60,000 older NAS devices (source)
- Week in review: Zero-click flaw in Synology NAS devices, Google fixes exploited Android vulnerability (source)
- Critical bug in EoL D-Link NAS devices now exploited in attacks (source)