Security News > 2021 > April > QNAP caught napping as disclosure delay expires, critical NAS bugs revealed
Some QNAP network attached storage devices are vulnerable to attack because of two critical vulnerabilities, one that enables unauthenticated remote code execution and another that provides the ability to write to arbitrary files.
On Thursday QNAP released TS-231 firmware version 4.3.6.1620, which addresses a command injection vulnerability and a vulnerability in Apache HTTP server.
The two vulnerabilities were found in the NAS web server and the DLNA server, respectively, according to Puyeski, who said SAM has withheld details about the vulnerabilities because there are tens of thousands of QNAP devices exposed to the internet.
The NAS web server bug was identified by fuzzing - injecting data programmatically - various cgi files, based on past observations that QNAP NAS devices have implemented web pages that don't require authentication and execute server-side code.
QNAP did not immediately respond to a request for comment.
"The current situation is that we've fixed and released patches for mainstream versions of our NAS operating systems," QNAP belatedly told The Reg.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/04/02/qnap_bug_nas/
Related news
- Jetpack fixes critical information disclosure flaw existing since 2016 (source)
- QNAP fixes NAS backup software zero-day exploited at Pwn2Own (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- D-Link won’t fix critical flaw affecting 60,000 older NAS devices (source)
- Critical bug in EoL D-Link NAS devices now exploited in attacks (source)