Security News

QNAP has released security updates to fix multiple high severity security vulnerabilities impacting network-attached storage devices running the QES, QTS, and QuTS hero operating systems. CVE-2020-2503: Stored cross-site scripting QES vulnerability - enables remote attackers to inject malicious code in File Station.

QNAP Systems is warning of high-severity flaws that plague its top-selling network attached storage devices. QTS is the operating system for NAS systems, while the QuTS Hero is an operating system that combines the app-based QTS with a 128-bit ZFS file system to provide more storage management.

Network-attached storage maker QNAP today released security updates to address vulnerabilities that could enable attackers to take control of unpatched NAS devices following successful exploitation. The eight vulnerabilities patched today by QNAP affect all QNAP NAS devices running vulnerable software.

QNAP today announced two vulnerabilities affecting QTS, the operating system powering its network-attached storage devices, that could allow running arbitrary commands. The network-attached storage device vendor does not provide too many details about the two issues but says that recent QTS releases include the necessary patches.

Storage solutions provider QNAP this week published an advisory to warn customers that certain versions of QTS, the operating system for its network-attached storage devices, are affected by the Zerologon vulnerability. "If exploited, this elevation of privilege vulnerability allows remote attackers to bypass security measures via a compromised QTS device on the network. The NAS may be exposed to this vulnerability if users have configured the device as a domain controller in Control Panel > Network & File Services > Win/Mac/NFS > Microsoft Networking," the company explains.

Network-attached storage device maker QNAP warns customers that some NAS storage devices running vulnerable versions of the QTS operating system are exposed to attacks attempting to exploit the critical Windows ZeroLogon vulnerability. While NAS devices aren't commonly used as a Windows domain controller, some organizations might want to use this feature to allow IT admins to use some NAS models to manage user accounts, authentication, and enforce domain security.

QNAP has addressed two critical security vulnerabilities in the Helpdesk app that could enable potential attackers to take over unpatched QNAP network-attached storage devices. Helpdesk is the built-in app that comes with QNAP's NAS devices and allows admins to submit help requests to the QNAP support team over the Internet.

Recent attacks targeting QNAP Network Attached Storage devices were attempting to exploit a vulnerability that was addressed in July 2017, 360 Netlab security researchers say. Analysis of the QNAP NAS vulnerability revealed that it resides in the CGI program /httpd/cgi-bin/authLogout.

In a joint alert this week, the United States and the United Kingdom warned that a piece of malware has infected over 62,000 QNAP network-attached storage devices. "Due to these data breach concerns, QNAP devices that had been infected may still be vulnerable to reinfection after removing the malware," the company said.

There are approximately 62,000 malware-infested QNAP NAS devices located across the globe spilling all the secrets they contain to unknown cyber actors, the US CISA and the UK NCSC have warned. Dubbed QSnatch, the sophisticated malware targets QTS, the Linux-based OS powering QNAP's NAS devices, and is able to log passwords, scrape credentials, set up an SSH backdoor and a webshell, exfiltrate files and, most importantly, assure its persistence by preventing users from installing updates that may remove it and by preventing the QNAP Malware Remover app from running.