Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

[Article] QNAP devices vulnerable to remote takeover attacks


Jimi Wikman
 Share

Recommended Posts

  • Owner

According to Henry Huang, a Taiwanese security researcher, there are still hundreds of thousands of QNAP NAS systems that have yet to be patched for no less than three bugs. This allow an attacker to exploit the three bugs to take full control over QNAP devices.

These bugs was found last year and Henry Huang reported it to QNAP last June. QNAP issues a patch in November last year to fix these bugs and still, 6 months later there are hundreds of thousands of unpatched units online.  These bugs are:

  1. CVE-2019-7192 (CVSS 9.8) (Photo Station bug)
  2. CVE-2019-7194 (CVSS 9.8) (Photo Station bug)
  3. CVE-2019-7195 (CVSS 9.8) (Photo Station)

The bugs that are connected to the Photo Station app are in themselves not a big issue. It is when chained together they can bypass authentication (bug #1), insert malicious code in the Photo Station app PHP session (bug #2), and then install a web shell on unpatched QNAP devices (bug #3).

Henry Huang have written detailed information regarding the bugs in an article on Medium. He also strongly advice users to patch their QNAP NAS as soon as possible. If that is not possible then he suggest that you take it off the Internet as it can be used for malicious purposes or you could attract a ransomware gang.

This is of course the official recommendation from QNAP as well.


View full blog article

Link to comment
Share on other sites

  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Similar Content

    • By Jimi Wikman
      Every week there are a lot of interesting news that I pick up and in this post you will find my best finds of the week divided into the main categories of this site: Management, Design, Requirement / QA, Development, Test and special interests such as Atlassian. Let us get into it.
      Development
      The Ultimate Guide to Dark Mode for Email Marketers -  Alice Li over at Litmus take us through Dark Mode for Emails. ESLint v6.7.0 released - The javascript linting tool got a new update with some new features. Top New Features of Angular 9 - This Angular 9 preview post takes you through all the features coming in the latest version of Angular Release Notes for Safari Technology Preview 98 - Safari Technology Preview Release 98 is now available for download for macOS Catalina and macOS Mojave How to make your first JavaScript chart with JSCharting - A nice guide for how to get started with JSCharting that is easy to follow. Chrome 79 released with tab freezing, back-forward caching, and loads of security features - Pretty extensive article on what is new in Chrome 79. Firefox 71: A year-end arrival - Firefox also got a new release and this is what is in it. Pixels vs. Relative Units in CSS: why it’s still a big deal - Kathleen McMahon walk us through the importance of pixels vs relative units.  
      Security
      Over two dozen encryption experts call on India to rethink changes to its intermediary liability rules - India is proposing a new law that could have serious impact on security as well as technical impact. Exploit Fully Breaks SHA-1, Lowers the Attack Bar - A proof-of-concept attack has been pioneered that “fully and practically” breaks the Secure Hash Algorithm 1 (SHA-1) code-signing encryption This password-stealing malware just got updated with new tactics to help it hide - Predator the Thief updated again with new tricks to make people's lives miserable. Accenture to Acquire Symantec's Security Services Unit from Broadcom - My old employer Accenture expands it's managed security services offerings and capabilities. TikTok Riddled With Security Flaws - Not really a surprise, but it is a bit troubling considering it's popularity among our younger generations. Critical Firefox 0-Day Under Active Attacks – Update Your Browser Now! - Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1 versions to patch a critical zero-day vulnerability in its browsing software that an undisclosed group of hackers is actively exploiting in the wild. Chinese Malware Found Preinstalled on US Government-Funded Phones - Who would have guessed?  
      This is the first post of this type and I would like to know if you want more like this?
      Also please add a comment if I missed anything important this week.

      View full blog article
    • By Jimi Wikman
      Every week there are a lot of interesting news that I pick up and in this post you will find my best finds of the week divided into the main categories of this site: Management, Design, Requirement / QA, Development, Test and special interests such as Atlassian. Let us get into it.
      Development
      The Ultimate Guide to Dark Mode for Email Marketers -  Alice Li over at Litmus take us through Dark Mode for Emails. ESLint v6.7.0 released - The javascript linting tool got a new update with some new features. Top New Features of Angular 9 - This Angular 9 preview post takes you through all the features coming in the latest version of Angular Release Notes for Safari Technology Preview 98 - Safari Technology Preview Release 98 is now available for download for macOS Catalina and macOS Mojave How to make your first JavaScript chart with JSCharting - A nice guide for how to get started with JSCharting that is easy to follow. Chrome 79 released with tab freezing, back-forward caching, and loads of security features - Pretty extensive article on what is new in Chrome 79. Firefox 71: A year-end arrival - Firefox also got a new release and this is what is in it. Pixels vs. Relative Units in CSS: why it’s still a big deal - Kathleen McMahon walk us through the importance of pixels vs relative units.  
      Security
      Over two dozen encryption experts call on India to rethink changes to its intermediary liability rules - India is proposing a new law that could have serious impact on security as well as technical impact. Exploit Fully Breaks SHA-1, Lowers the Attack Bar - A proof-of-concept attack has been pioneered that “fully and practically” breaks the Secure Hash Algorithm 1 (SHA-1) code-signing encryption This password-stealing malware just got updated with new tactics to help it hide - Predator the Thief updated again with new tricks to make people's lives miserable. Accenture to Acquire Symantec's Security Services Unit from Broadcom - My old employer Accenture expands it's managed security services offerings and capabilities. TikTok Riddled With Security Flaws - Not really a surprise, but it is a bit troubling considering it's popularity among our younger generations. Critical Firefox 0-Day Under Active Attacks – Update Your Browser Now! - Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1 versions to patch a critical zero-day vulnerability in its browsing software that an undisclosed group of hackers is actively exploiting in the wild. Chinese Malware Found Preinstalled on US Government-Funded Phones - Who would have guessed?  
      This is the first post of this type and I would like to know if you want more like this?
      Also please add a comment if I missed anything important this week.
    • By Jimi Wikman
      According to Henry Huang, a Taiwanese security researcher, there are still hundreds of thousands of QNAP NAS systems that have yet to be patched for no less than three bugs. This allow an attacker to exploit the three bugs to take full control over QNAP devices.
      These bugs was found last year and Henry Huang reported it to QNAP last June. QNAP issues a patch in November last year to fix these bugs and still, 6 months later there are hundreds of thousands of unpatched units online.  These bugs are:
      CVE-2019-7192 (CVSS 9.8) (Photo Station bug) CVE-2019-7194 (CVSS 9.8) (Photo Station bug) CVE-2019-7195 (CVSS 9.8) (Photo Station) The bugs that are connected to the Photo Station app are in themselves not a big issue. It is when chained together they can bypass authentication (bug #1), insert malicious code in the Photo Station app PHP session (bug #2), and then install a web shell on unpatched QNAP devices (bug #3).
      Henry Huang have written detailed information regarding the bugs in an article on Medium. He also strongly advice users to patch their QNAP NAS as soon as possible. If that is not possible then he suggest that you take it off the Internet as it can be used for malicious purposes or you could attract a ransomware gang.
      This is of course the official recommendation from QNAP as well.

×
×
  • Create New...