According to Henry Huang, a Taiwanese security researcher, there are still hundreds of thousands of QNAP NAS systems that have yet to be patched for no less than three bugs. This allow an attacker to exploit the three bugs to take full control over QNAP devices.
These bugs was found last year and Henry Huang reported it to QNAP last June. QNAP issues a patch in November last year to fix these bugs and still, 6 months later there are hundreds of thousands of unpatched units online. These bugs are:
- CVE-2019-7192 (CVSS 9.8) (Photo Station bug)
- CVE-2019-7194 (CVSS 9.8) (Photo Station bug)
- CVE-2019-7195 (CVSS 9.8) (Photo Station)
The bugs that are connected to the Photo Station app are in themselves not a big issue. It is when chained together they can bypass authentication (bug #1), insert malicious code in the Photo Station app PHP session (bug #2), and then install a web shell on unpatched QNAP devices (bug #3).
Henry Huang have written detailed information regarding the bugs in an article on Medium. He also strongly advice users to patch their QNAP NAS as soon as possible. If that is not possible then he suggest that you take it off the Internet as it can be used for malicious purposes or you could attract a ransomware gang.
This is of course the official recommendation from QNAP as well.