Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
  • Jimi Wikman
    Jimi Wikman

    QNAP devices vulnerable to remote takeover attacks

    According to Henry Huang, a Taiwanese security researcher, there are still hundreds of thousands of QNAP NAS systems that have yet to be patched for no less than three bugs. This allow an attacker to exploit the three bugs to take full control over QNAP devices.

    These bugs was found last year and Henry Huang reported it to QNAP last June. QNAP issues a patch in November last year to fix these bugs and still, 6 months later there are hundreds of thousands of unpatched units online.  These bugs are:

    1. CVE-2019-7192 (CVSS 9.8) (Photo Station bug)
    2. CVE-2019-7194 (CVSS 9.8) (Photo Station bug)
    3. CVE-2019-7195 (CVSS 9.8) (Photo Station)

    The bugs that are connected to the Photo Station app are in themselves not a big issue. It is when chained together they can bypass authentication (bug #1), insert malicious code in the Photo Station app PHP session (bug #2), and then install a web shell on unpatched QNAP devices (bug #3).

    Henry Huang have written detailed information regarding the bugs in an article on Medium. He also strongly advice users to patch their QNAP NAS as soon as possible. If that is not possible then he suggest that you take it off the Internet as it can be used for malicious purposes or you could attract a ransomware gang.

    This is of course the official recommendation from QNAP as well.

    • Shocked 1

    User Feedback

    Recommended Comments

    There are no comments to display.

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

  • Similar Content

    • By ©Jimi Wikman
      Every week there are a lot of interesting news that I pick up and in this post you will find my best finds of the week divided into the main categories of this site: Management, Design, Requirement / QA, Development, Test and special interests such as Atlassian. Let us get into it.
      The Ultimate Guide to Dark Mode for Email Marketers -  Alice Li over at Litmus take us through Dark Mode for Emails. ESLint v6.7.0 released - The javascript linting tool got a new update with some new features. Top New Features of Angular 9 - This Angular 9 preview post takes you through all the features coming in the latest version of Angular Release Notes for Safari Technology Preview 98 - Safari Technology Preview Release 98 is now available for download for macOS Catalina and macOS Mojave How to make your first JavaScript chart with JSCharting - A nice guide for how to get started with JSCharting that is easy to follow. Chrome 79 released with tab freezing, back-forward caching, and loads of security features - Pretty extensive article on what is new in Chrome 79. Firefox 71: A year-end arrival - Firefox also got a new release and this is what is in it. Pixels vs. Relative Units in CSS: why it’s still a big deal - Kathleen McMahon walk us through the importance of pixels vs relative units.  
      Over two dozen encryption experts call on India to rethink changes to its intermediary liability rules - India is proposing a new law that could have serious impact on security as well as technical impact. Exploit Fully Breaks SHA-1, Lowers the Attack Bar - A proof-of-concept attack has been pioneered that “fully and practically” breaks the Secure Hash Algorithm 1 (SHA-1) code-signing encryption This password-stealing malware just got updated with new tactics to help it hide - Predator the Thief updated again with new tricks to make people's lives miserable. Accenture to Acquire Symantec's Security Services Unit from Broadcom - My old employer Accenture expands it's managed security services offerings and capabilities. TikTok Riddled With Security Flaws - Not really a surprise, but it is a bit troubling considering it's popularity among our younger generations. Critical Firefox 0-Day Under Active Attacks – Update Your Browser Now! - Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1 versions to patch a critical zero-day vulnerability in its browsing software that an undisclosed group of hackers is actively exploiting in the wild. Chinese Malware Found Preinstalled on US Government-Funded Phones - Who would have guessed?  
      This is the first post of this type and I would like to know if you want more like this?
      Also please add a comment if I missed anything important this week.
  • Create New...