QNAP released a security update in October last year after learning about the vulnerability and responding slowly six months later !!  - HKEPC hardware

QNAP released a security update in October last year after learning about the vulnerability and responding slowly six months later !! – HKEPC hardware

QNAP was aware of the impact in October last year
The response was very slow and the security update was released half a year later !!

Text: K.K. Wong / News Center

QNAP is locked by NAS ransomware Qlocker. The security firm Seamless Network reported two related vulnerabilities to QNAP on October 12 and November 29 last year, offering a 120-day grace period. To address QNAP vulnerabilities. The relevant vulnerability report was later released to the public. Unfortunately, the response to QNAP was very slow, with the result that the damage had not yet been repaired before the deadline. The final report was released on March 31. QNAP No Release security update until April 16th. Unfortunately, it was too late.

According to Seamless Network’s Yaniv Puyeski, they detected the most severe vulnerabilities in QNAP NAS devices in October and November last year, and followed QNAP’s standard procedures, allowing a grace period of 4 months after allowing QNAP to resolve. , The public was informed that these vulnerabilities allowed full access to the device from the network without any authorization, including access to data stored by the user.

Despite revealing the seamless network innovation process and the steps to be taken for QNAP, the offer period has exceeded one month. As of the release of the vulnerability report, two serious vulnerabilities have yet to be fixed.

1. RCE vulnerability of the web server

This vulnerability allows hackers to execute any web shell command over the NAS web server service (default TCP port 8080) via CGI, which may trigger unauthorized remote code operation, infecting all QNAP NAS devices exposed to the Internet.

See also  Using the iPhone for a long time without knowing these 4 tips is "bad friends"!

The vulnerability was fully disclosed to the QNAP Security Committee by October 12, 2020. The table is as follows:

On October 12, 2020, vulnerability and solution recommendations were fully disclosed to the QNAP Security Committee.

On October 23, 2020, another email notification was sent to the QNAP Security Committee

October 31, 2020 Get automatic response only from QNAP support with ticket number.

The offer period announced for QNAP on 21 January 26, 2021 is February 12.

The N QNAP Help Desk finally responded on January 26, 2021: The problem has been confirmed, but it is still ongoing.

The offer period of 21 February 12, 2021 has expired.

On March 21, 2021, Seamless Network released a related vulnerability report.

2. Spontaneous file write vulnerability on the DLNA server

This vulnerability allows hackers to create spontaneous file data access anywhere through the DLNA server service (default port 8200), and enables UPNP requests on port 8200. This vulnerability will eventually allow hackers to trigger remote code activation.

The vulnerability was fully disclosed to the QNAP Security Committee on November 29, 2020. The table is as follows:

Informed the QNAP Security Committee on November 29, 2020,But there was no response from QNAP.

The offer period of 21 March 29, 2021 has expired.

On March 21, 2021, Seamless Network released a related vulnerability report.

On the second day after the vulnerability report was released, the seamless network pointed out that QNAP had contacted the seamless network about the above security issues, but two vulnerabilities in the new QNAP model of the QTS 4.5 version have been resolved, but they are not suitable for older older models, and the GNAP seamless network’s response to the site ‘ The solution also works, and they will be delivered in the next few weeks.

See also  Tamron 17-70mm f2.8d III-A VC RXD lens for Sony ABS-C cameras

Finally, QNAP released a safety bulletin and update for both vulnerabilities on April 19th. It is recommended that all QNAP users fix vulnerabilities immediately. Unfortunately, it is too late to cause serious disaster for QNAP NAS users. For half a year, a detailed process can be found:https://securingsam.com/new-vulnerabilities-allow-complete-takeover/

About QNAP Security Bulletin and Firmware Update:

https://www.qnap.com/en/security-advisory/qsa-21-05

https://www.qnap.com/en/security-advisory/qsa-21-11

Disclosure table of unrestricted network for QNAP vulnerabilities:

https://securingsam.com/new-vulnerabilities-allow-complete-takeover/

QNAP vulnerabilities

Check Also

types of online slot players

Understanding the Different Types of Online Slot Players

Online slots have become a popular form of entertainment for millions of people worldwide. The …

Leave a Reply

Your email address will not be published. Required fields are marked *