Guru3D.com
  • HOME
  • NEWS
    • Channels
    • Archive
  • DOWNLOADS
    • New Downloads
    • Categories
    • Archive
  • GAME REVIEWS
  • ARTICLES
    • Rig of the Month
    • Join ROTM
    • PC Buyers Guide
    • Guru3D VGA Charts
    • Editorials
    • Dated content
  • HARDWARE REVIEWS
    • Videocards
    • Processors
    • Audio
    • Motherboards
    • Memory and Flash
    • SSD Storage
    • Chassis
    • Media Players
    • Power Supply
    • Laptop and Mobile
    • Smartphone
    • Networking
    • Keyboard Mouse
    • Cooling
    • Search articles
    • Knowledgebase
    • More Categories
  • FORUMS
  • NEWSLETTER
  • CONTACT

New Reviews
Scythe Mugen 5 Rev.C CPU Cooler review
be quiet Pure Loop 2 FX 280mm LCS review
HP FX900 1 TB NVMe Review
Scythe FUMA2 Rev.B CPU Cooler review
SK Hynix Platinum P41 2TB M.2 NVMe SSD Review
Corsair K70 RGB PRO Mini Wireless review
MSI MPG A1000G - 1000W PSU Review
Goodram IRDM PRO M.2 SSD 2 TB NVMe SSD Review
Samsung T7 Shield Portable 1TB USB SSD review
DeepCool LS720 (LCS) review

New Downloads
AMD Radeon Software Adrenalin 22.8.1 driver download
Prime95 download version 30.8 build 16
Memtest86 9.5 download
Intel ARC graphics Driver Download Version: 30.0.101.1743
GeForce 516.94 WHQL driver download
Display Driver Uninstaller Download version 18.0.5.4
FurMark Download v1.31
Intel HD graphics Driver Download Version: 31.0.101.3222
AMD Radeon Software Adrenalin 22.7.1 driver download
GeForce 516.93 WHQL Studio driver download


New Forum Topics
96-core AMD Epyc Genoa CPU spotted G,Skill Working on AMD Optimized DDR5-6000 DRAM DIMMs for ZEN4 Intel has released performance figures for the Arc A750 Vulkan and DirectX 12 APIs Why exactly are the 3D-V-Cache Chips so much faster for some games? Think we'll get a 7900X3D? AMD Radeon Software Adrenalin 22.8.1 driver download AMD Software: Adrenalin Edition 22.8.1- Driver download and discussion DesktopOverlayHost Overlay display freeze issue GeForce RTX 4080 and RTX 4070 same consumption as RTX 3080 and RTX 3070 but more performance NVIDIA GeForce 516.94 WHQL driver download & Discussion New Upcoming ATI/AMD GPU's Thread: Leaks, Hopes & Aftermarket GPU's




Guru3D.com » News » QNAP NAS vulnerabilities not patched after almost a year

QNAP NAS vulnerabilities not patched after almost a year

by Hilbert Hagedoorn on: 01/18/2017 10:46 AM | source: | 5 comment(s)
QNAP NAS vulnerabilities not patched after almost a year

F-Secure reports that three vulnerabilities QNAP NAS systems have not been patched almost a year after they were reported. These vulnerabilities can provide an attacker full control over the device and this way steal data and passwords.

F-Secure found the vulnerabilities on the QNAP TVs-663 but also other devices of the manufacturer could very well be vulnerable reports myce:

An attacker is able to obtain admin privileges if the 3 vulnerabilities are exploited. With these privileges attackers can install malware, send spam or steal data and passwords.

The culprit is the automatic firmware update feature of the NAS. If an attacker sends a malicious update to the device, there is no check whether the firmware is really from QNAP. This allows an attacker to perform a man-in-the-middle attack and send a malcious firmware to the device to take control over it.

F-Secure reported the vulnerabilities in February last year to QNAP but the company still hasn’t patched them. So far only the TVS-663 is known to be affected, but because QNAP uses the same firmware on multiple models it’s very likely also other QNAP NAS devices are vulnerable.

At least 1.4 million TVS-663 devices are running the firmware, but possibly millions of other QNAP devices are just as vulnerable. QNAP is the 2nd largest NAS supplier of the world. F-Secure recommends QNAP owners running TQS firmware 4.2 (or later) to disable automatic updates and manually check for updates until the issue is fixed.







« EK releases updated version of the EK-RES X4 250 · QNAP NAS vulnerabilities not patched after almost a year · Tenda AC18 Advanced Dual-Band Gigabit WiFi Router »

Related Stories

AMD G-Series SoC To Accelerate New QNAP NAS Systems - 01/05/2015 10:16 PM
AMD today announced that the AMD Embedded G-Series system-on-chip (SoC) will be powering the new TVS-863+ and the TVS-x63 platform from QNAP, a leading provider of network attached storage (NAS) syste...

Update your QNAP NAS Server - 10/03/2014 09:14 AM
If you have not done so and got one, please update your QNAP NAS server with A) the latest firmware, and then B) Patch it with QFix 1.0.1, most if not all QNAP servers are vunerable to the GNU Bash V...

Atom-based QNAP NAS TS-439 Pro surfaces - 02/20/2009 12:30 PM
QNAP is on a roll lately, yet another model of theit NAS devices is palced into the market, this time a 4-bay Intel Atom-based NAS TS-439 Pro. TS-439 Pro is designed for SMB/Business featuring low po...


sdamaged99
Senior Member



Posts: 2037
Joined: 2006-12-12

#5382654 Posted on: 01/18/2017 03:13 PM
This is why i use unRAID and not a "consumer" NAS

snip3r_3
Senior Member



Posts: 2983
Joined: 2004-12-17

#5382658 Posted on: 01/18/2017 03:27 PM
This is why i use unRAID and not a "consumer" NAS


While unRAID is not a commercial off the shelf NAS, it is still very much "consumer" grade. It is simply put, just another Linux based OS, like QNAP QTS, Synology DSM, and the various WD/Seagate/Netgear/Asustor/etc. variants.

While there are BSD (like FreeNAS) and Windows based NAS distributions/off the shelf units, each has vulnerabilities. You always have to stay up to date, and preferably with a vendor that is focused on security as simply updating wouldn't have helped QNAP users against the MITM attack here.

Kaarme
Senior Member



Posts: 2979
Joined: 2013-03-10

#5382702 Posted on: 01/18/2017 05:50 PM
Maybe if the attacker could make the device explode like Note 7, the company would do something about it.

__hollywood|meo
Senior Member



Posts: 2990
Joined: 2005-09-27

#5382860 Posted on: 01/19/2017 12:10 AM
this happened because QNAP doesnt properly encrypt firmware update traffic. the simple fact that such absurd oversights occur to this day doesnt surprise me anymore; wat im shocked by is that the company was notified a year ago & has not updated the vulnerable protocol in any way.

this kind of sloppy crap also highlights exactly why automatic updates are cancer. if you want a secure system, dont trust others to do your work for you.

Kaarme
Senior Member



Posts: 2979
Joined: 2013-03-10

#5382959 Posted on: 01/19/2017 11:06 AM
this kind of sloppy crap also highlights exactly why automatic updates are cancer.


No, not really. The biggest weakness is always the human users. Botnets thrive because people don't manually update software and firmware, not even the 1234 factory default passwords. Out of laziness, ignorance, or not enough workforce in business (that is, supposedly saving money). Remove automatic updates and the already nasty situation will first explode, then implode.

Post New Comment
Click here to post a comment for this news story on the message forum.


Guru3D.com © 2022