Security News > 2021 > April > QNAP caught napping as disclosure delay expires, critical NAS bugs revealed
Some QNAP network attached storage devices are vulnerable to attack because of two critical vulnerabilities, one that enables unauthenticated remote code execution and another that provides the ability to write to arbitrary files.
On Thursday QNAP released TS-231 firmware version 4.3.6.1620, which addresses a command injection vulnerability and a vulnerability in Apache HTTP server.
The two vulnerabilities were found in the NAS web server and the DLNA server, respectively, according to Puyeski, who said SAM has withheld details about the vulnerabilities because there are tens of thousands of QNAP devices exposed to the internet.
The NAS web server bug was identified by fuzzing - injecting data programmatically - various cgi files, based on past observations that QNAP NAS devices have implemented web pages that don't require authentication and execute server-side code.
QNAP did not immediately respond to a request for comment.
"The current situation is that we've fixed and released patches for mainstream versions of our NAS operating systems," QNAP belatedly told The Reg.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/04/02/qnap_bug_nas/